Skip to content

Authenticated non-privileged user can request unfiltered data without adequate permissions.

High
jdhwpgmbca published GHSA-3r67-fxpr-p2qx Sep 7, 2021

Package

maven pcapture (Maven)

Affected versions

< v3.12

Patched versions

v3.12

Description

Impact

This vulnerability allows an authenticated but unprivileged user to use the REST API to capture and download packets with no capture filter and without adequate permissions.

This is important because the capture filters can effectively limit the scope of information that a user can see in the data captures. If no filter is present, then all data on the local network segment where the program is running can be captured and downloaded.

Patches

v3.12 fixes this problem.

Workarounds

There is no workaround, you must upgrade to v3.12 or greater.

References

N/A

For more information

Severity

High
7.7
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CVE ID

CVE-2021-39196

Weaknesses

No CWEs