PT-2021-15144 · Unknown · Exposure Notification Server

Sethvargo

Published

2021-11-10

Updated

2024-08-21

CVE-2021-22565

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Name of the Vulnerable Software and Affected Versions Exposure Notification server versions prior to V1.1.2

Description An attacker could prematurely expire a verification code, making it unusable by the patient, and preventing the patient from uploading their TEKs to generate exposure notifications. Users or API keys with permission to expire verification codes could have expired codes that belonged to another realm if they guessed the UUID. Verification codes can only be expired by providing their 64-bit UUID, and verification codes are already valid for a very short period of time.

Recommendations For Exposure Notification server versions prior to V1.1.2, upgrade the server to V1.1.2 or greater.

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

CVE-2021-22565

GHSA-WX8Q-RGFR-CF6V

GO-2022-0270

Affected Products

Exposure Notification Server

PT-2021-15144 · Unknown · Exposure Notification Server

CVE-2021-22565

Weakness Enumeration

Related Identifiers

Affected Products

References · 8