CVE-2021-39165

HIGH8.1EPSS 80.4%

Unauthenticated SQL Injection in Cachet

發布日:2021/8/30修改日:2026/3/13

描述

### Impact In Cachet versions through 2.3.18, there is a SQL injection which is in the `SearchableTrait#scopeSearch()`. Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator's password and session. ### Patches The original repository of [https://github.com/CachetHQ/Cachet](https://github.com/CachetHQ/Cachet) is not active, the stable version 2.3.18 and it's developing 2.4 branch is affected. Update to version 2.5 or later in the [https://github.com/fiveai/Cachet fork](https://github.com/fiveai/Cachet) to fix this vulnerability.

受影響套件(1)

Packagist/cachethq/cachetfrom 0, <= 2.3.18

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

參考連結(3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-39165
WEBhttps://github.com/fiveai/Cachet/commit/27bca8280419966ba80c6fa283d985ddffa84bb6
WEBhttps://github.com/fiveai/Cachet/security/advisories/GHSA-79mg-4w23-4fqc