CVE-2021-32691

Auto-merging Person Records Compromised

Description

Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within the app, as well as any authenticated links to Rock-based webpages (such as giving and events). There is a patch in version 2.20.0. As a workaround, one can patch one's server by overriding the `create` data source method on the `People` class.

References

Link	Tags
https://github.com/ApollosProject/apollos-apps/security/advisories/GHSA-r578-pj6f-r4ff	mitigation third party advisory
https://github.com/ApollosProject/apollos-apps/commit/cb5f8f1c0b24f1b215b2bb5eb6f9a8e16d728ce2	third party advisory patch
https://github.com/ApollosProject/apollos-apps/releases/tag/v2.20.0	third party advisory patch

Frequently Asked Questions

What is the severity of CVE-2021-32691?: CVE-2021-32691 has been scored as a high severity vulnerability.
How to fix CVE-2021-32691?: To fix CVE-2021-32691, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-32691 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2021-32691 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-32691?: CVE-2021-32691 affects ApollosProject apollos-apps.

Description

Categories

CWE-303 – Incorrect Implementation of Authentication Algorithm

CWE-287 – Improper Authentication

References

Frequently Asked Questions