CVE-2021-39173
8.8 HIGHCachet is an open source status page system
Published: 2021-08-27 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 8.8 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-704
Affected products
| Vendor | Product |
|---|---|
| catchethq | catchet |
Description
Cachet is an open source status page system. Prior to version 2.5.1 authenticated users, regardless of their privileges (User or Admin), can trick Cachet and install the instance again, leading to arbitrary code execution on the server. This issue was addressed in version 2.5.1 by improving the middleware `ReadyForUse`, which now performs a stricter validation of the instance name. As a workaround, only allow trusted source IP addresses to access to the administration dashboard.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-39173
- [Exploit reference]https://blog.sonarsource.com/cachet-code-execution-via-laravel-configuration-injection/
- [Other]https://github.com/fiveai/Cachet/releases/tag/v2.5.1
- [Other]https://github.com/fiveai/Cachet/security/advisories/GHSA-r67m-m8c7-jp83
- [Exploit reference]https://blog.sonarsource.com/cachet-code-execution-via-laravel-configuration-injection/
- [Other]https://github.com/fiveai/Cachet/releases/tag/v2.5.1
- [Other]https://github.com/fiveai/Cachet/security/advisories/GHSA-r67m-m8c7-jp83
Related CVEs
Same vendor
- CVE-2021-39174 — Cachet is an open source status page system (8.8 HIGH)
- CVE-2021-39172 — Cachet is an open source status page system (8.8 HIGH)
Same CWE
- CVE-2026-46690 — unbounded_spsc is an "unbounded" extension of bounded_spsc_queue (5.8 MEDIUM)
- CVE-2026-45685 — OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard (7.5 HIGH)
- CVE-2026-44324 — free5GC is an open-source implementation of the 5G core network (6.5 MEDIUM)
- CVE-2026-46597 — An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs (7.5 HIGH)
- CVE-2023-7345 — Ledger Live with vulnerable versions of ledgerhq/hw-app-eth prior to 6.34.7 contains an integer parsing vulnerability that allows attacke... (6.5 MEDIUM)