PT-2021-22252 · Unknown · Netless Agora Flat Server

Published

2021-08-13

Updated

2022-07-12

CVE-2021-38621

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions netless Agora Flat Server versions prior to 2021-07-30

Description The issue concerns the remove API in the netless Agora Flat Server, specifically in the file v1/controller/cloudStorage/alibabaCloud/remove/index.ts, which mishandles file ownership.

Recommendations For versions prior to 2021-07-30, consider restricting access to the remove API endpoint "/v1/controller/cloudStorage/alibabaCloud/remove" until a fix is applied. As a temporary workaround, review and manually verify file ownership to prevent potential misuse.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2021-38621

Affected Products

Netless Agora Flat Server

PT-2021-22252 · Unknown · Netless Agora Flat Server

CVE-2021-38621

Related Identifiers

Affected Products

References · 5