Vulnerability Details : CVE-2021-21352
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. In TimeTracker before version 1.19.24.5415 tokens used in password reset feature in Time Tracker are based on system time and, therefore, are predictable. This opens a window for brute force attacks to guess user tokens and, once successful, change user passwords, including that of a system administrator. This vulnerability is pathced in version 1.19.24.5415 (started to use more secure tokens) with an additional improvement in 1.19.24.5416 (limited an available window for brute force token guessing).
Products affected by CVE-2021-21352
- cpe:2.3:a:anuko:time_tracker:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-21352
0.28%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 65 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-21352
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
9.1
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
3.9
|
5.2
|
NIST | |
6.8
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N |
2.2
|
4.0
|
GitHub, Inc. |
CWE ids for CVE-2021-21352
-
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.Assigned by: security-advisories@github.com (Primary)
References for CVE-2021-21352
-
https://www.anuko.com/time-tracker/index.htm
Time TrackerVendor Advisory
-
https://github.com/anuko/timetracker/security/advisories/GHSA-43c9-rx4h-4gqq
Predictable tokens used for password resets in versions prior to 1.19.24.5415 · Advisory · anuko/timetracker · GitHubMitigation;Third Party Advisory
-
https://github.com/anuko/timetracker/commit/40f3d9345adc20e6f28eb9f59e2489aff87fecf5
Fixed a critical security vulnerability with password resets. · anuko/timetracker@40f3d93 · GitHubPatch;Third Party Advisory
Jump to