CVE-2021-39192

Name of the Vulnerable Software and Affected Versions Ghost versions 4.0.0 through 4.9.4

Description An error in the implementation of the limits service allows all authenticated users, including contributors, to view admin-level API keys via the "integrations API endpoint", leading to a privilege escalation issue. This allows unauthorized access to sensitive information. It is highly recommended to regenerate all API keys after patching or applying the workaround.

Recommendations For Ghost versions 4.0.0 through 4.9.4, upgrade to version 4.10.0 as soon as possible. As a temporary workaround, consider disabling all non-Administrator accounts to prevent API access. After patching or applying the workaround, regenerate all API keys to ensure security.