CVE-2021-22565
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Summary
An attacker could prematurely expire a verification code, making it unusable by the patient, making the patient unable to upload their TEKs to generate exposure notifications. We recommend upgrading the Exposure Notification server to V1.1.2 or greater.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Google LLC | Google Exposure-notifications-verification-server | unspecified < 1.1.2 | affected |
Weaknesses
- CWE-284: CWE-284 Improper Access Control
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/google/exposure-notifications-verification-server/security/advisories/GHSA-wx8q-rgfr-cf6v
- https://github.com/google/exposure-notifications-verification-server/releases/tag/v1.1.2
References
- https://github.com/google/exposure-notifications-verification-server/security/advisories/GHSA-wx8q-rgfr-cf6v
- https://github.com/google/exposure-notifications-verification-server/releases/tag/v1.1.2
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.