CVE-2021-21032 - Vulnerability Details

Vendors	Products
Magento	Magento

Link	Providers
https://helpx.adobe.com/security/products/magento/apsb21-08.html

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "Magento Commerce", "vendor": "Adobe", "versions": [{"lessThanOrEqual": "2.4.1", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "2.4.0-p1", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "2.3.6", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "None", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2021-02-09T00:00:00", "descriptions": [{"lang": "en", "value": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation of this issue could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-613", "description": "Insufficient Session Expiration (CWE-613)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-02-11T19:29:32", "orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"}], "source": {"discovery": "EXTERNAL"}, "title": "Magento Commerce Failure To Invalidate User Session Could Lead To Unauthorized Access", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@adobe.com", "DATE_PUBLIC": "2021-02-09T23:00:00.000Z", "ID": "CVE-2021-21032", "STATE": "PUBLIC", "TITLE": "Magento Commerce Failure To Invalidate User Session Could Lead To Unauthorized Access"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Magento Commerce", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.4.1"}, {"version_affected": "<=", "version_value": "2.4.0-p1"}, {"version_affected": "<=", "version_value": "2.3.6"}, {"version_affected": "<=", "version_value": "None"}]}}]}, "vendor_name": "Adobe"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation of this issue could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation."}]}, "impact": {"cvss": {"attackComplexity": "None", "attackVector": "None", "availabilityImpact": "None", "baseScore": 5.7, "baseSeverity": "Medium", "confidentialityImpact": "None", "integrityImpact": "None", "privilegesRequired": "None", "scope": "None", "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Insufficient Session Expiration (CWE-613)"}]}]}, "references": {"reference_data": [{"name": "https://helpx.adobe.com/security/products/magento/apsb21-08.html", "refsource": "MISC", "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:01:12.490Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"}]}]}, "cveMetadata": {"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "assignerShortName": "adobe", "cveId": "CVE-2021-21032", "datePublished": "2021-02-11T19:29:32.196685Z", "dateReserved": "2020-12-18T00:00:00", "dateUpdated": "2024-09-17T04:18:49.706Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : Magento Commerce (string)

vendor : Adobe (string)

versions : [ »

0 : { »

lessThanOrEqual : 2.4.1 (string)

status : affected (string)

version : unspecified (string)

versionType : custom (string)

}

1 : { »

lessThanOrEqual : 2.4.0-p1 (string)

status : affected (string)

version : unspecified (string)

versionType : custom (string)

}

2 : { »

lessThanOrEqual : 2.3.6 (string)

status : affected (string)

version : unspecified (string)

versionType : custom (string)

}

3 : { »

lessThanOrEqual : None (string)

status : affected (string)

version : unspecified (string)

versionType : custom (string)

}

]

}

]

datePublic : 2021-02-09T00:00:00 (string)

descriptions : [ »

0 : { »

lang : en (string)

value : Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation of this issue could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation. (string)

}

]

metrics : [ »

0 : { »

cvssV3_0 : { »

attackComplexity : HIGH (string)

attackVector : NETWORK (string)

availabilityImpact : LOW (string)

baseScore : 5.6 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : LOW (string)

integrityImpact : LOW (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L (string)

version : 3.0 (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

cweId : CWE-613 (string)

description : Insufficient Session Expiration (CWE-613) (string)

lang : en (string)

type : CWE (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2021-02-11T19:29:32 (string)

orgId : 078d4453-3bcd-4900-85e6-15281da43538 (string)

shortName : adobe (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://helpx.adobe.com/security/products/magento/apsb21-08.html (string)

}

]

source : { »

discovery : EXTERNAL (string)

}

title : Magento Commerce Failure To Invalidate User Session Could Lead To Unauthorized Access (string)

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : psirt@adobe.com (string)

DATE_PUBLIC : 2021-02-09T23:00:00.000Z (string)

ID : CVE-2021-21032 (string)

STATE : PUBLIC (string)

TITLE : Magento Commerce Failure To Invalidate User Session Could Lead To Unauthorized Access (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : Magento Commerce (string)

version : { »

version_data : [ »

0 : { »

version_affected : <= (string)

version_value : 2.4.1 (string)

}

1 : { »

version_affected : <= (string)

version_value : 2.4.0-p1 (string)

}

2 : { »

version_affected : <= (string)

version_value : 2.3.6 (string)

}

3 : { »

version_affected : <= (string)

version_value : None (string)

}

]

}

]

}

vendor_name : Adobe (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation of this issue could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation. (string)

}

]

}

impact : { »

cvss : { »

attackComplexity : None (string)

attackVector : None (string)

availabilityImpact : None (string)

baseScore : 5.7 (number)

baseSeverity : Medium (string)

confidentialityImpact : None (string)

integrityImpact : None (string)

privilegesRequired : None (string)

scope : None (string)

userInteraction : None (string)

vectorString : CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L (string)

version : 3.1 (string)

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : Insufficient Session Expiration (CWE-613) (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://helpx.adobe.com/security/products/magento/apsb21-08.html (string)

refsource : MISC (string)

url : https://helpx.adobe.com/security/products/magento/apsb21-08.html (string)

}

]

}

source : { »

discovery : EXTERNAL (string)

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-03T18:01:12.490Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://helpx.adobe.com/security/products/magento/apsb21-08.html (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : 078d4453-3bcd-4900-85e6-15281da43538 (string)

assignerShortName : adobe (string)

cveId : CVE-2021-21032 (string)

datePublished : 2021-02-11T19:29:32.196685Z (string)

dateReserved : 2020-12-18T00:00:00 (string)

dateUpdated : 2024-09-17T04:18:49.706Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:*", "matchCriteriaId": "14B6B496-E849-4935-B3D8-8BDB8DDD59A3", "versionEndExcluding": "2.3.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:*", "matchCriteriaId": "79C3A2B0-AE14-4D0F-BEE2-82FC00BE6087", "versionEndExcluding": "2.3.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.3.6:-:*:*:commerce:*:*:*", "matchCriteriaId": "F9C60780-1213-4D06-A4C4-CC915C952B7B", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.3.6:-:*:*:open_source:*:*:*", "matchCriteriaId": "3CCEDD72-7195-495C-A9B6-9D18BA9756F7", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.4.0:-:*:*:commerce:*:*:*", "matchCriteriaId": "05F799AA-CDC0-409F-BB7E-CB941D6FB189", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.4.0:-:*:*:open_source:*:*:*", "matchCriteriaId": "600AA27A-D2A8-41C3-8631-74ECF7453E78", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.4.0:p1:*:*:commerce:*:*:*", "matchCriteriaId": "67683B07-34CD-4DD2-A6C9-C71733007397", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.4.0:p1:*:*:open_source:*:*:*", "matchCriteriaId": "ECA32B69-E9D8-4C01-ACDC-E0F885D937FB", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.4.1:-:*:*:commerce:*:*:*", "matchCriteriaId": "80860D39-0D51-47B3-BA92-F473ADA1BBC3", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.4.1:-:*:*:open_source:*:*:*", "matchCriteriaId": "2ADFE661-AB9C-4387-AC4F-D14A0717C2B8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation of this issue could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation."}, {"lang": "es", "value": "Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), no invalidan adecuadamente las sesiones de usuario.&#xa0;Una explotaci\u00f3n con \u00e9xito de este problema podr\u00eda conllevar a un acceso no autorizado a recursos restringidos.&#xa0;No es requerido un acceso a la consola de administraci\u00f3n para una explotaci\u00f3n con \u00e9xito"}], "id": "CVE-2021-21032", "lastModified": "2024-11-21T05:47:26.243", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.4, "source": "psirt@adobe.com", "type": "Secondary"}]}, "published": "2021-02-11T20:15:14.950", "references": [{"source": "psirt@adobe.com", "tags": ["Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"}], "sourceIdentifier": "psirt@adobe.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "psirt@adobe.com", "type": "Secondary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:* (string)

matchCriteriaId : 14B6B496-E849-4935-B3D8-8BDB8DDD59A3 (string)

versionEndExcluding : 2.3.6 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:* (string)

matchCriteriaId : 79C3A2B0-AE14-4D0F-BEE2-82FC00BE6087 (string)

versionEndExcluding : 2.3.6 (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:a:magento:magento:2.3.6:-:*:*:commerce:*:*:* (string)

matchCriteriaId : F9C60780-1213-4D06-A4C4-CC915C952B7B (string)

vulnerable : true (boolean)

}

3 : { »

criteria : cpe:2.3:a:magento:magento:2.3.6:-:*:*:open_source:*:*:* (string)

matchCriteriaId : 3CCEDD72-7195-495C-A9B6-9D18BA9756F7 (string)

vulnerable : true (boolean)

}

4 : { »

criteria : cpe:2.3:a:magento:magento:2.4.0:-:*:*:commerce:*:*:* (string)

matchCriteriaId : 05F799AA-CDC0-409F-BB7E-CB941D6FB189 (string)

vulnerable : true (boolean)

}

5 : { »

criteria : cpe:2.3:a:magento:magento:2.4.0:-:*:*:open_source:*:*:* (string)

matchCriteriaId : 600AA27A-D2A8-41C3-8631-74ECF7453E78 (string)

vulnerable : true (boolean)

}

6 : { »

criteria : cpe:2.3:a:magento:magento:2.4.0:p1:*:*:commerce:*:*:* (string)

matchCriteriaId : 67683B07-34CD-4DD2-A6C9-C71733007397 (string)

vulnerable : true (boolean)

}

7 : { »

criteria : cpe:2.3:a:magento:magento:2.4.0:p1:*:*:open_source:*:*:* (string)

matchCriteriaId : ECA32B69-E9D8-4C01-ACDC-E0F885D937FB (string)

vulnerable : true (boolean)

}

8 : { »

criteria : cpe:2.3:a:magento:magento:2.4.1:-:*:*:commerce:*:*:* (string)

matchCriteriaId : 80860D39-0D51-47B3-BA92-F473ADA1BBC3 (string)

vulnerable : true (boolean)

}

9 : { »

criteria : cpe:2.3:a:magento:magento:2.4.1:-:*:*:open_source:*:*:* (string)

matchCriteriaId : 2ADFE661-AB9C-4387-AC4F-D14A0717C2B8 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation of this issue could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation. (string)

}

1 : { »

lang : es (string)

value : Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), no invalidan adecuadamente las sesiones de usuario. Una explotación con éxito de este problema podría conllevar a un acceso no autorizado a recursos restringidos. No es requerido un acceso a la consola de administración para una explotación con éxito (string)

}

]

id : CVE-2021-21032 (string)

lastModified : 2024-11-21T05:47:26.243 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : HIGH (string)

cvssData : { »

accessComplexity : LOW (string)

accessVector : NETWORK (string)

authentication : NONE (string)

availabilityImpact : PARTIAL (string)

baseScore : 7.5 (number)

confidentialityImpact : PARTIAL (string)

integrityImpact : PARTIAL (string)

vectorString : AV:N/AC:L/Au:N/C:P/I:P/A:P (string)

version : 2.0 (string)

}

exploitabilityScore : 10 (number)

impactScore : 6.4 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

cvssMetricV30 : [ »

0 : { »

cvssData : { »

attackComplexity : HIGH (string)

attackVector : NETWORK (string)

availabilityImpact : LOW (string)

baseScore : 5.6 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : LOW (string)

integrityImpact : LOW (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L (string)

version : 3.0 (string)

}

exploitabilityScore : 2.2 (number)

impactScore : 3.4 (number)

source : psirt@adobe.com (string)

type : Secondary (string)

}

]

}

published : 2021-02-11T20:15:14.950 (string)

references : [ »

0 : { »

source : psirt@adobe.com (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://helpx.adobe.com/security/products/magento/apsb21-08.html (string)

}

1 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://helpx.adobe.com/security/products/magento/apsb21-08.html (string)

}

]

sourceIdentifier : psirt@adobe.com (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-613 (string)

}

]

source : psirt@adobe.com (string)

type : Secondary (string)

}

]

}

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object