CVE-2021-38617 | Cyber Solutions By Thales

Abstract Advisory Information

A lack of access control on the user creation endpoint allows a standard user

to create super user account that directly leads to privilege escalation.

Author: Thomas Pianezzola

Version affected

Name: Eigen NLP

Versions: 3.10.1

Common Vulnerability Scoring System

8.8

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Patches

Unknown

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38617

Vulnerability Disclosure Timeline

11/05/2021: Vulnerability discovery
28/05/2021: Vulnerability Report to CERT-XLM
28/05/2021: Vulnerability Report to Eigen NLP
15/06/2021: Call to get email contact. Awaiting for them to reach us back
29/06/2021: As no answer, call again to get email contact. Gave again email address to be reached back
15/07/2021: Called press number and being redirected to contact email address
06/08/2021: Contacted email address (last attempt to get in touch)
13/08/2021: Request CVE IDs to Mitre
1/09/2021: Expected Vulnerability disclosure