Insecure proxy configuration in Mozilla Hubs Cloud Reticulum



Published: 2021-05-07
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2021-29954
CWE-ID CWE-16
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Reticulum
Web applications / Modules and components for CMS

Vendor Mozilla

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Insecure configuration

EUVDB-ID: #VU52976

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-29954

CWE-ID: CWE-16 - Configuration

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insecure proxy configuration built into our Reticulum software package, which allowed access to internal URLs, including the metadata service, which could allow access to credentials specific to a Hubs Cloud Instance. A remote non-authenticated attacker can obtain sensitive information and use it to compromise the Hubs Cloud Instance.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Reticulum: 1.0.1/20200817225751 - 1.0.20201012230301

External links

http://www.mozilla.org/en-US/security/advisories/mfsa2021-21/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###