CVE-2021-32814

Skytable is a NoSQL database with automated snapshots and TLS. Versions prior to 0.5.1 are vulnerable to a a directory traversal attack enabling remotely connected clients to destroy and/or manipulate critical files on the host's file system. This security bug has been patched in version 0.5.1. There are no known workarounds aside from upgrading.

CVSS v3.0 8.1 HIGH
CVSS v2.0 9.4 HIGH

8.1^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

9.4^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:C/A:C

Exploitability : 10.0 / Impact : 9.2

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://github.com/skytable/skytable/security/advisories/GHSA-2hj9-cxmc-m4g7	Third Party Advisory
https://security.skytable.io/ve/s/00001.html	Patch Third Party Advisory
https://github.com/skytable/skytable/blob/next/CHANGELOG.md#version-051-2021-03-17	Release Notes Third Party Advisory
https://github.com/skytable/skytable/commit/38b011273bb92b83c61053ae2fcd80aa9320315c#diff-1cdcf1a793c71ec658782437e4da7e3a37042bc1e2c12545942e9a14679c4b7e	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:skytable:skytable:*:*:*:*:*:*:*:*

Information

Published : 2021-08-03 10:15

Updated : 2021-08-11 10:05

NVD link : CVE-2021-32814

Mitre link : CVE-2021-32814

JSON object : View

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Products Affected

skytable

skytable

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/skytable/skytable/security/advisories/GHSA-2hj9-cxmc-m4g7", "name": "https://github.com/skytable/skytable/security/advisories/GHSA-2hj9-cxmc-m4g7", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://security.skytable.io/ve/s/00001.html", "name": "https://security.skytable.io/ve/s/00001.html", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/skytable/skytable/blob/next/CHANGELOG.md#version-051-2021-03-17", "name": "https://github.com/skytable/skytable/blob/next/CHANGELOG.md#version-051-2021-03-17", "tags": ["Release Notes", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/skytable/skytable/commit/38b011273bb92b83c61053ae2fcd80aa9320315c#diff-1cdcf1a793c71ec658782437e4da7e3a37042bc1e2c12545942e9a14679c4b7e", "name": "https://github.com/skytable/skytable/commit/38b011273bb92b83c61053ae2fcd80aa9320315c#diff-1cdcf1a793c71ec658782437e4da7e3a37042bc1e2c12545942e9a14679c4b7e", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Skytable is a NoSQL database with automated snapshots and TLS. Versions prior to 0.5.1 are vulnerable to a a directory traversal attack enabling remotely connected clients to destroy and/or manipulate critical files on the host's file system. This security bug has been patched in version 0.5.1. There are no known workarounds aside from upgrading."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-22"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-32814", "ASSIGNER": "security-advisories@github.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 9.4, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "NONE"}, "severity": "HIGH", "acInsufInfo": false, "impactScore": 9.2, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 2.8}}, "publishedDate": "2021-08-03T17:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:skytable:skytable:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "0.5.1"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2021-08-11T17:05Z"}

8.1 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

9.4 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact COMPLETE

Availability Impact COMPLETE

JSON object

Attach tags to CVE-2021-32814

8.1^/10

9.4^/10

Attach tags to `CVE-2021-32814`