CVE-2021-39192 – ghost

Package

Manager: npm
Name: ghost
Vulnerable Version: >=4.0.0 <4.10.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00394 pctl0.59527

Details

Privilege escalation: all users can access Admin-level API keys ### Impact An error in the implementation of the limits service in 4.0.0 allows all authenticated users (including contributors) to view admin-level API keys via the integrations API endpoint, leading to a privilege escalation vulnerability. Ghost(Pro) has already been patched. Self-hosters are impacted if running Ghost a version between 4.0.0 and 4.9.4. Immediate action should be taken to secure your site - see patches & workarounds below. It is highly recommended to regenerate all API keys after patching or applying the workaround below. ### Patches Fixed in 4.10.0, all 4.x sites should upgrade as soon as possible. ### Workarounds - Disable all non-Administrator accounts to prevent API access. ### For more information If you have any questions or comments about this advisory: * email us at security@ghost.org --- Credits: Aden Yap Chuen Zhen, BAE Systems Applied Intelligence (Malaysia)

Metadata

Created: 2021-07-22T19:43:16Z
Modified: 2021-09-03T20:23:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/07/GHSA-j5c2-hm46-wp5c/GHSA-j5c2-hm46-wp5c.json
CWE IDs: ["CWE-200", "CWE-269"]
Alternative ID: GHSA-j5c2-hm46-wp5c
Finding: F159
Auto approve: 1