Vulnerability Details : CVE-2021-22565
An attacker could prematurely expire a verification code, making it unusable by the patient, making the patient unable to upload their TEKs to generate exposure notifications. We recommend upgrading the Exposure Notification server to V1.1.2 or greater.
Vulnerability category: BypassGain privilege
Products affected by CVE-2021-22565
- cpe:2.3:a:google:exposure_notification_verification_server:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-22565
0.16%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 38 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-22565
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:P |
8.6
|
4.9
|
NIST | |
|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |
3.9
|
2.5
|
Google Inc. | |
|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |
3.9
|
2.5
|
NIST |
CWE ids for CVE-2021-22565
-
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Assigned by: cve-coordination@google.com (Secondary)
References for CVE-2021-22565
-
https://github.com/google/exposure-notifications-verification-server/releases/tag/v1.1.2
Release v1.1.2 · google/exposure-notifications-verification-server · GitHubPatch;Release Notes;Third Party Advisory
-
https://github.com/google/exposure-notifications-verification-server/security/advisories/GHSA-wx8q-rgfr-cf6v
Insufficient Granularity of Access Control in github.com/google/exposure-notifications-verification-server · Advisory · google/exposure-notifications-verification-server · GitHubThird Party Advisory
Jump to