Lucene search

MitreCVE-2021-37935

HistoryDec 10, 2021 - 5:15 p.m.

CVE-2021-37935

2021-12-1017:15:07

CWE-200

mitre

web.nvd.nist.gov

cve-2021-37935

information disclosure

huntflow enterprise

ldap

remote user

vulnerability

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.2

Confidence

High

EPSS

0.003

Percentile

69.9%

JSON

An information disclosure vulnerability in the login page of Huntflow Enterprise before 3.10.4 could allow an unauthenticated, remote user to get information about the domain name of the configured LDAP server. An attacker could exploit this vulnerability by requesting the login page and searching for the “isLdap” JavaScript parameter in the HTML source code.

Affected configurations

Nvd

Node

huntflowhuntflow_enterpriseRange≤3.10.4

VendorProductVersionCPE
huntflowhuntflow_enterprise*cpe:2.3:a:huntflow:huntflow_enterprise:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
huntflow	huntflow_enterprise	*	cpe:2.3:a:huntflow:huntflow_enterprise::::::::

References

gist.github.com/andrey-lomtev/c970fb7dd022d04f5b57ad37fbedd064

Social References

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.2

Confidence

High

EPSS

0.003

Percentile

69.9%

JSON

Related for CVE-2021-37935