Vulnerability Details CVE-2021-39192
Ghost is a Node.js content management system. An error in the implementation of the limits service between versions 4.0.0 and 4.9.4 allows all authenticated users (including contributors) to view admin-level API keys via the integrations API endpoint, leading to a privilege escalation vulnerability. This issue is patched in Ghost version 4.10.0. As a workaround, disable all non-Administrator accounts to prevent API access. It is highly recommended to regenerate all API keys after patching or applying the workaround.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 59.6%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 6.5
References
Products affected by CVE-2021-39192
-
cpe:2.3:a:ghost:ghost:4.0.0
-
cpe:2.3:a:ghost:ghost:4.0.1
-
cpe:2.3:a:ghost:ghost:4.1.0
-
cpe:2.3:a:ghost:ghost:4.1.1
-
cpe:2.3:a:ghost:ghost:4.1.2
-
cpe:2.3:a:ghost:ghost:4.2.0
-
cpe:2.3:a:ghost:ghost:4.2.1
-
cpe:2.3:a:ghost:ghost:4.2.2
-
cpe:2.3:a:ghost:ghost:4.3.0
-
cpe:2.3:a:ghost:ghost:4.3.1
-
cpe:2.3:a:ghost:ghost:4.3.2
-
cpe:2.3:a:ghost:ghost:4.3.3
-
cpe:2.3:a:ghost:ghost:4.4.0
-
cpe:2.3:a:ghost:ghost:4.5.0
-
cpe:2.3:a:ghost:ghost:4.6.0
-
cpe:2.3:a:ghost:ghost:4.6.1
-
cpe:2.3:a:ghost:ghost:4.6.2
-
cpe:2.3:a:ghost:ghost:4.6.3
-
cpe:2.3:a:ghost:ghost:4.6.4
-
cpe:2.3:a:ghost:ghost:4.6.5
-
cpe:2.3:a:ghost:ghost:4.6.6
-
cpe:2.3:a:ghost:ghost:4.7.0
-
cpe:2.3:a:ghost:ghost:4.8.0
-
cpe:2.3:a:ghost:ghost:4.8.1
-
cpe:2.3:a:ghost:ghost:4.8.2
-
cpe:2.3:a:ghost:ghost:4.8.3
-
cpe:2.3:a:ghost:ghost:4.8.4
-
cpe:2.3:a:ghost:ghost:4.9.0
-
cpe:2.3:a:ghost:ghost:4.9.1
-
cpe:2.3:a:ghost:ghost:4.9.2
-
cpe:2.3:a:ghost:ghost:4.9.3
-
cpe:2.3:a:ghost:ghost:4.9.4