CVE-2021-21322

Published: Mar 2, 2021

Modified: Aug 3, 2024

PUBLISHED

CVSS v3.1

10.0

CRITICAL

Description

fastify-http-proxy is an npm package which is a fastify plugin for proxying your http requests to another server, with hooks. By crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is `/pub/`, a user expect that accessing `/priv` on the target service would not be possible. In affected versions, it is possible. This is fixed in version 4.3.1.

Vendor	Product	Versions
fastify	fastify-http-proxy	affected `< 4.3.1`

Weaknesses (CWE)

CWE-20

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/fastify/fastify-http-proxy/security/advisories/GHSA-c4qr-gmr9-v23w

x_refsource_CONFIRM

https://www.npmjs.com/package/fastify-http-proxy

x_refsource_MISC

https://github.com/fastify/fastify-http-proxy/commit/02d9b43c770aa16bc44470edecfaeb7c17985016

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-21322

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References