CVE-2021-28122
CRITICALOpen5GS 2.1.3-2.2.0 - Unauthenticated Database Manipulation via WebUI API
Title source: llmDescription
A request-validation issue was discovered in Open5GS 2.1.3 through 2.2.x before 2.2.1. The WebUI component allows an unauthenticated user to use a crafted HTTP API request to create, read, update, or delete entries in the subscriber database. For example, new administrative users can be added. The issue occurs because Express is not set up to require authentication.
References (4)
Core 4
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/open5gs/open5gs/releases
Exploit, Third Party Advisory x_refsource_misc
https://github.com/open5gs/open5gs/issues/837
Patch, Third Party Advisory x_refsource_misc
https://github.com/open5gs/open5gs/pull/838
Patch, Third Party Advisory x_refsource_confirm
https://github.com/open5gs/open5gs/compare/v2.2.0...v2.2.1
Scores
CVSS v3
9.8
EPSS
0.0110
EPSS Percentile
78.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-306
Status
published
Products (1)
open5gs/open5gs
2.1.3 - 2.2.0
Published
Mar 10, 2021
Tracked Since
Feb 18, 2026