CVE-2021-22538 MEDIUM

CVE-2021-22538: Privilege escalation in RBAC system

Vendor Google Llc
Product Exposure Notifications Verification Server
Weakness CWE-20 · Input validation
Published March 31, 2021
Last update August 3, 2024

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

A privilege escalation vulnerability impacting the Google Exposure Notification Verification Server (versions prior to 0.23.1), allows an attacker who (1) has UserWrite permissions and (2) is using a carefully crafted request or malicious proxy, to create another user with higher privileges than their own. This occurs due to insufficient checks on the allowed set of permissions. The new user creation event would be captured in the Event Log.

Key dates

02Disclosure timeline

March 31, 2021 CVE published
August 3, 2024 Record updated