Vulnerability Details : CVE-2021-36777
Potential exploit
A Reliance on Untrusted Inputs in a Security Decision vulnerability in the login proxy of the openSUSE Build service allowed attackers to present users with a expected login form that then sends the clear text credentials to an attacker specified server. This issue affects: openSUSE Build service login-proxy-scripts versions prior to dc000cdfe9b9b715fb92195b1a57559362f689ef.
Products affected by CVE-2021-36777
- cpe:2.3:a:opensuse:open_build_service:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-36777
0.29%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 50 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-36777
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
|
8.1
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
2.8
|
5.2
|
SUSE | |
|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2021-36777
-
The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.Assigned by: meissner@suse.de (Secondary)
References for CVE-2021-36777
-
https://bugzilla.suse.com/show_bug.cgi?id=1191209
Bug 1191209 – VUL-0: CVE-2021-36777: login-proxy sends password to attacker-provided domainExploit;Issue Tracking;Patch;Third Party Advisory
Jump to