Home > Vulnerability Database > WS-2021-0186

Mend.io Vulnerability Database

WS-2021-0186

Good to know:

Date: July 20, 2021

An error in the implementation of the limits service in Ghost from version 4.0.0 allows all authenticated users (including contributors) to view admin-level API keys via the integrations API endpoint, leading to a privilege escalation vulnerability. Ghost(Pro) has already been patched. Self-hosters are impacted if running Ghost a version between 4.0.0 and 4.9.4. Immediate action should be taken to secure your site. It is highly recommended to regenerate all API keys after patching or applying the workaround below. The probem has been fixed in version 4.10.0

Language: JS

Severity Score

6.5

Related Resources (2)

Url: https://github.com/TryGhost/Ghost/commit/1962591c2ed4d3cfd2f14cad7bfafe6cf0a2aac5

Url: https://www.mend.io/vulnerability-database/WS-2021-0186

Severity Score

6.5

Weakness Type (CWE)

Execution with Unnecessary Privileges

CWE-250

Top Fix

Upgrade Version

Upgrade to version ghost - 4.10.0

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

WS-2021-0186

Good to know:

Date: July 20, 2021

Language: JS

Severity Score

Related Resources (2)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?