Details of VAR-202105-1217

ID

VAR-202105-1217

CVE

CVE-2021-29024

TITLE

InvoicePlane path traversal vulnerability

Trust: 1.2

sources: CNVD: CNVD-2021-37203 // CNNVD: CNNVD-202105-1118

DESCRIPTION

In InvoicePlane 1.5.11 a misconfigured web server allows unauthenticated directory listing and file download. Allowing an attacker to directory traversal and download files suppose to be private without authentication. InvoicePlane Contains vulnerabilities in externally accessible files or directories.Information may be obtained. InvoicePlane is an application software. Provide a self-hosted open source application for managing your quotes, invoices, customers and payments. InvoicePlane version 1.5.11 has a path traversal vulnerability

Trust: 2.25

sources: NVD: CVE-2021-29024 // JVNDB: JVNDB-2021-006975 // CNVD: CNVD-2021-37203 // VULMON: CVE-2021-29024

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-37203

AFFECTED PRODUCTS

vendor:	invoiceplane	model:	invoiceplane	scope:	eq	version:	1.5.11	Trust: 1.6
vendor:	invoiceplane com	model:	invoiceplane	scope:	eq	version:	1.5.11	Trust: 0.8
vendor:	invoiceplane com	model:	invoiceplane	scope:	eq	version:	-	Trust: 0.8

sources: CNVD: CNVD-2021-37203 // JVNDB: JVNDB-2021-006975 // NVD: CVE-2021-29024

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-29024
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-29024
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2021-37203
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202105-1118
value:	HIGH
Trust: 0.6
VULMON:	CVE-2021-29024
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-29024
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2021-37203
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-29024
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2021-29024
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-37203 // VULMON: CVE-2021-29024 // JVNDB: JVNDB-2021-006975 // CNNVD: CNNVD-202105-1118 // NVD: CVE-2021-29024

PROBLEMTYPE DATA

problemtype:	CWE-552	Trust: 1.0
problemtype:	Externally accessible file or directory (CWE-552) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-006975 // NVD: CVE-2021-29024

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202105-1118

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-202105-1118

PATCH

title:	Top Page	url:	https://www.invoiceplane.com/	Trust: 0.8
title:	Patch for InvoicePlane path traversal vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/267956	Trust: 0.6
title:	InvoicePlane Repair measures for path traversal vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=151821	Trust: 0.6
title:	-	url:	https://github.com/Live-Hack-CVE/CVE-2021-29024	Trust: 0.1

sources: CNVD: CNVD-2021-37203 // VULMON: CVE-2021-29024 // JVNDB: JVNDB-2021-006975 // CNNVD: CNNVD-202105-1118

EXTERNAL IDS

db:	NVD	id:	CVE-2021-29024	Trust: 3.9
db:	JVNDB	id:	JVNDB-2021-006975	Trust: 0.8
db:	CNVD	id:	CNVD-2021-37203	Trust: 0.6
db:	CNNVD	id:	CNNVD-202105-1118	Trust: 0.6
db:	VULMON	id:	CVE-2021-29024	Trust: 0.1

sources: CNVD: CNVD-2021-37203 // VULMON: CVE-2021-29024 // JVNDB: JVNDB-2021-006975 // CNNVD: CNNVD-202105-1118 // NVD: CVE-2021-29024

REFERENCES

url:	https://notnnor.github.io/research/2021/03/17/files-or-directories-accessible-to-external-parties-in-invoiceplane.html	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2021-29024	Trust: 2.0
url:	https://github.com/invoiceplane/invoiceplane/pull/754	Trust: 1.7
url:	https://cwe.mitre.org/data/definitions/552.html	Trust: 0.1
url:	https://github.com/live-hack-cve/cve-2021-29024	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2021-37203 // VULMON: CVE-2021-29024 // JVNDB: JVNDB-2021-006975 // CNNVD: CNNVD-202105-1118 // NVD: CVE-2021-29024

SOURCES

db:	CNVD	id:	CNVD-2021-37203
db:	VULMON	id:	CVE-2021-29024
db:	JVNDB	id:	JVNDB-2021-006975
db:	CNNVD	id:	CNNVD-202105-1118
db:	NVD	id:	CVE-2021-29024

LAST UPDATE DATE

2024-08-14T15:22:18.325000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-37203	date:	2021-05-26T00:00:00
db:	VULMON	id:	CVE-2021-29024	date:	2023-01-24T00:00:00
db:	JVNDB	id:	JVNDB-2021-006975	date:	2022-01-27T07:32:00
db:	CNNVD	id:	CNNVD-202105-1118	date:	2023-01-28T00:00:00
db:	NVD	id:	CVE-2021-29024	date:	2023-03-01T16:46:50.010

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-37203	date:	2021-05-26T00:00:00
db:	VULMON	id:	CVE-2021-29024	date:	2021-05-17T00:00:00
db:	JVNDB	id:	JVNDB-2021-006975	date:	2022-01-27T00:00:00
db:	CNNVD	id:	CNNVD-202105-1118	date:	2021-05-17T00:00:00
db:	NVD	id:	CVE-2021-29024	date:	2021-05-17T19:15:07.790