CVE-2021-20778 - OpenCVE

Improper access control vulnerability in EC-CUBE 4.0.6 (EC-CUBE 4 series) allows a remote attacker to bypass access restriction and obtain sensitive information via unspecified vectors.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Ec-cube	Ec-cube

Configuration 1 [-]

cpe:2.3:a:ec-cube:ec-cube:4.0.6:-:*:*:*:*:*:*

References

Link	Resource
http://jvn.jp/en/jp/JVN57942445/index.html	Third Party Advisory
https://jvn.jp/en/jp/JVN57942445/index.html	Third Party Advisory
https://www.ec-cube.net/info/weakness/weakness.php?id=80	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: jpcert

Published: 2021-07-01T05:45:17

Updated: 2021-07-01T06:06:26

Reserved: 2020-12-17T00:00:00

Link: CVE-2021-20778

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-07-01T06:15:09.187

Modified: 2022-06-28T14:11:45.273

Link: CVE-2021-20778

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-Other

{"containers": {"cna": {"affected": [{"product": "EC-CUBE", "vendor": "EC-CUBE CO.,LTD.", "versions": [{"status": "affected", "version": "4.0.6 (EC-CUBE 4 series)"}]}], "descriptions": [{"lang": "en", "value": "Improper access control vulnerability in EC-CUBE 4.0.6 (EC-CUBE 4 series) allows a remote attacker to bypass access restriction and obtain sensitive information via unspecified vectors."}], "problemTypes": [{"descriptions": [{"description": "Improper Access Control", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-07-01T06:06:26", "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.ec-cube.net/info/weakness/weakness.php?id=80"}, {"tags": ["x_refsource_MISC"], "url": "https://jvn.jp/en/jp/JVN57942445/index.html"}, {"name": "JVN#57942445", "tags": ["third-party-advisory", "x_refsource_JVN"], "url": "http://jvn.jp/en/jp/JVN57942445/index.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vultures@jpcert.or.jp", "ID": "CVE-2021-20778", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "EC-CUBE", "version": {"version_data": [{"version_value": "4.0.6 (EC-CUBE 4 series)"}]}}]}, "vendor_name": "EC-CUBE CO.,LTD."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Improper access control vulnerability in EC-CUBE 4.0.6 (EC-CUBE 4 series) allows a remote attacker to bypass access restriction and obtain sensitive information via unspecified vectors."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Access Control"}]}]}, "references": {"reference_data": [{"name": "https://www.ec-cube.net/info/weakness/weakness.php?id=80", "refsource": "MISC", "url": "https://www.ec-cube.net/info/weakness/weakness.php?id=80"}, {"name": "https://jvn.jp/en/jp/JVN57942445/index.html", "refsource": "MISC", "url": "https://jvn.jp/en/jp/JVN57942445/index.html"}, {"name": "JVN#57942445", "refsource": "JVN", "url": "http://jvn.jp/en/jp/JVN57942445/index.html"}]}}}}, "cveMetadata": {"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "cveId": "CVE-2021-20778", "datePublished": "2021-07-01T05:45:17", "dateReserved": "2020-12-17T00:00:00", "dateUpdated": "2021-07-01T06:06:26", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ec-cube:ec-cube:4.0.6:-:*:*:*:*:*:*", "matchCriteriaId": "5B7550DC-0C3C-4870-8473-65265DDF84FA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Improper access control vulnerability in EC-CUBE 4.0.6 (EC-CUBE 4 series) allows a remote attacker to bypass access restriction and obtain sensitive information via unspecified vectors."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de control de acceso inapropiado en EC-CUBE versi\u00f3n 4.0.6 (serie EC-CUBE 4) que permite a un atacante remoto omitir la restricci\u00f3n de acceso y obtener informaci\u00f3n confidencial por medio de vectores no especificados"}], "id": "CVE-2021-20778", "lastModified": "2022-06-28T14:11:45.273", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-07-01T06:15:09.187", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "http://jvn.jp/en/jp/JVN57942445/index.html"}, {"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN57942445/index.html"}, {"source": "vultures@jpcert.or.jp", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.ec-cube.net/info/weakness/weakness.php?id=80"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}