CVE-2021-28122

Name of the Vulnerable Software and Affected Versions: Open5GS versions 2.1.3 through 2.2.x before 2.2.1

Description: A request-validation issue was discovered in the WebUI component, allowing an unauthenticated user to use a crafted HTTP API request to create, read, update, or delete entries in the subscriber database. For example, new administrative users can be added. The issue occurs because Express is not set up to require authentication.

Recommendations: For Open5GS versions 2.1.3 through 2.2.x before 2.2.1, consider setting up Express to require authentication for the WebUI component to prevent unauthorized access to the subscriber database. As a temporary workaround, consider restricting access to the WebUI component until a patch is available.