How severe is CVE-2021-43820?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.9 out of 10.

What type of vulnerability is CVE-2021-43820?

This is classified as CWE-639, which is a common weakness in software security.

CVE-2021-43820 - MEDIUM Severity | CVSS 5.9

Vulnerability Description

Seafile is an open source cloud storage system. A sync token is used in Seafile file syncing protocol to authorize access to library data. To improve performance, the token is cached in memory in seaf-server. Upon receiving a token from sync client or SeaDrive client, the server checks whether the token exist in the cache. However, if the token exists in cache, the server doesn't check whether it's associated with the specific library in the URL. This vulnerability makes it possible to use any valid sync token to access data from any **known** library. Note that the attacker has to first find out the ID of a library which it has no access to. The library ID is a random UUID, which is not possible to be guessed. There are no workarounds for this issue.

Related Vulnerabilities

CVE-2019-16546

MEDIUM

CVSS:5.9(Medium)

Jenkins Google Compute Engine Plugin 4.1.1 and earlier does not verify SSH host keys when connecting agents created by the plugin, enabling man-in-the-middle attacks.

CWE-6392019

CVE-2023-32189

MEDIUM

CVSS:5.9(Medium)

Insecure handling of ssh keys used to bootstrap clients allows local attackers to potentially gain access to the keys

CWE-6392023

CVE-2017-0936

MEDIUM

CVSS:5.7(Medium)

Nextcloud Server before 11.0.7 and 12.0.5 suffers from an Authorization Bypass Through User-Controlled Key vulnerability. A missing ownership check allowed logged-in users to change the scope of app p...

CWE-6392017

CVE-2020-13462

MEDIUM

CVSS:5.7(Medium)

Insecure Direct Object Reference (IDOR) exists in Tufin SecureChange, affecting all versions prior to R20-2 GA. Fixed in version R20-2 GA.

CWE-6392020

CVE-2024-21981

MEDIUM

CVSS:5.7(Medium)

Improper key usage control in AMD Secure Processor (ASP) may allow an attacker with local access who has gained arbitrary code execution privilege in ASP to extract ASP cryptographic keys, potentially...

CWE-6392024

CVE-2017-0882

MEDIUM

CVSS:6.3(Medium)

Multiple versions of GitLab expose sensitive user credentials when assigning a user to an issue or merge request. A fix was included in versions 8.15.8, 8.16.7, and 8.17.4, which were released on Marc...

CWE-6392017