CVE-2021-3325
9.8 CRITICALMonitorix 3.13.0 allows remote attackers to bypass Basic Authentication in a default installation (i.e., an installation without a hosts_...
Published: 2021-01-27 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
| Vendor | Product |
|---|---|
| fedoraproject | fedora, monitorix |
| fibranet | fedora, monitorix |
Description
Monitorix 3.13.0 allows remote attackers to bypass Basic Authentication in a default installation (i.e., an installation without a hosts_deny option). This issue occurred because a new access-control feature was introduced without considering that some exiting installations became unsafe, upon an update to 3.13.0, unless the new feature was immediately configured.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-3325
- [Patch]https://github.com/mikaku/Monitorix/commit/d6816e20da1a98bcdc6372d9c36a093df5238f4a
- [Patch]https://github.com/mikaku/Monitorix/compare/v3.13.0...v3.13.1
- [Exploit reference]https://github.com/mikaku/Monitorix/issues/309
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/67DDUU56LP76AJ2K7WJ733QPL2FHKKNG/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGG6WK44CYY6GEFRTCUEDANVNSX5NDH7/
- [Vendor advisory]https://www.monitorix.org/news.html?n=20210127
- [Patch]https://github.com/mikaku/Monitorix/commit/d6816e20da1a98bcdc6372d9c36a093df5238f4a
- [Patch]https://github.com/mikaku/Monitorix/compare/v3.13.0...v3.13.1
- [Exploit reference]https://github.com/mikaku/Monitorix/issues/309
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/67DDUU56LP76AJ2K7WJ733QPL2FHKKNG/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGG6WK44CYY6GEFRTCUEDANVNSX5NDH7/
- [Vendor advisory]https://www.monitorix.org/news.html?n=20210127
Related CVEs
Same vendor
- CVE-2024-28960 — An issue was discovered in Mbed TLS 2.18.0 through 2.28.x before 2.28.8 and 3.x before 3.6.0, and Mbed Crypto (8.2 HIGH)
- CVE-2023-51767 — OpenSSH through 10.0, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer ... (7.0 HIGH)
- CVE-2023-43615 — Mbed TLS 2.x before 2.28.5 and 3.x before 3.5.0 has a Buffer Overflow (7.5 HIGH)
- CVE-2023-25136 — OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling (6.5 MEDIUM)
- CVE-2022-46393 — An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0 (9.8 CRITICAL)