Plataforma
nodejs
Componente
nodebb
Corrigido em
1.15.1
1.18.5
CVE-2021-43786 is a critical vulnerability affecting NodeBB, a Node.js-based forum software. This flaw stems from incorrect logic in the token verification process, unintentionally granting master token access to the API. The vulnerability impacts versions prior to 1.18.5. A patch is available in version 1.18.5, and a cherry-pick of commit 04dab1d550cdebf4c1567bca9a51f8b9ca48a500 provides a workaround.
The primary impact of CVE-2021-43786 is the potential for unauthorized access to the NodeBB API with master token privileges. This allows an attacker to perform any action within the forum, including creating, deleting, and modifying posts, users, and settings. A successful exploitation could lead to complete compromise of the forum instance, data exfiltration, and potential defacement. The lack of proper token validation makes this a high-severity vulnerability, as it bypasses standard authentication mechanisms. The ability to gain master token access essentially grants an attacker root-level control over the forum’s functionality and data.
CVE-2021-43786 was publicly disclosed on November 30, 2021. There is no indication of active exploitation at this time, but the critical severity and ease of exploitation warrant immediate attention. No KEV listing is currently available. Public proof-of-concept exploits are not widely available, but the vulnerability's nature suggests it could be easily exploited once a PoC is released. Monitor security forums and threat intelligence feeds for any signs of exploitation.
Organizations and individuals running NodeBB forum software, particularly those utilizing the API for integrations or custom functionality, are at risk. Environments with weak token management practices or those that haven't regularly updated NodeBB are especially vulnerable. Shared hosting environments running NodeBB instances should also be prioritized for patching.
• nodejs / server:
ps aux | grep nodebbCheck the NodeBB process to verify the version running. If it's older than 1.18.5, it's vulnerable.
• generic web:
curl -I https://your-nodebb-instance/api/ | grep -i 'Authorization:'Inspect the API response headers for any unusual or unexpected authorization tokens.
disclosure
patch
Status do Exploit
EPSS
0.47% (percentil 65%)
Vetor CVSS
The recommended mitigation for CVE-2021-43786 is to immediately upgrade NodeBB to version 1.18.5 or later. This version includes a fix for the flawed token verification logic. If upgrading is not immediately feasible, a temporary workaround involves cherry-picking commit hash 04dab1d550cdebf4c1567bca9a51f8b9ca48a500. This commit contains the specific patch addressing the vulnerability. After applying either the full upgrade or the cherry-picked commit, verify the fix by attempting to access the API with a non-authorized token; access should be denied. Monitor NodeBB's security advisory page for any further updates or recommendations.
Atualize NodeBB para a versão 1.18.5 ou superior. Esta versão corrige a lógica incorreta na verificação do token da API, evitando o bypass da autenticação.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2021-43786 is a critical vulnerability in NodeBB that allows unauthorized access to the API due to flawed token verification, potentially granting master token privileges.
You are affected if you are running NodeBB versions prior to 1.18.5. Immediate action is required to mitigate the risk.
Upgrade NodeBB to version 1.18.5 or apply cherry-pick commit 04dab1d550cdebf4c1567bca9a51f8b9ca48a500 as a temporary workaround.
There is no current evidence of active exploitation, but the vulnerability's severity warrants immediate attention and patching.
Refer to the NodeBB security advisory page for the latest information and updates: https://community.nodebb.org/
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.