CVE-2021-21399
Published: 13 April 2021
Summary
CVE-2021-21399 is a critical-severity Improper Access Control (CWE-284) vulnerability in Ampache Ampache. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 40.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-8696
Vulnerability details
Ampache is a web based audio/video streaming application and file manager. Versions prior to 4.4.1 allow unauthenticated access to Ampache using the subsonic API. To successfully make the attack you must use a username that is not part of the…
more
site to bypass the auth checks. For more details and workaround guidance see the referenced GitHub security advisory.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
The awareness and training policy mandates training on access control practices, directly reducing the likelihood of improper access control weaknesses being introduced or exploited.
Training covers access control policies and the consequences of improper access grants or usage by users.
Security training teaches access control policies and enforcement, reducing improper access control implementations.
Provides capability to review session content, directly detecting violations of access control.
System audit review detects violations of access controls by identifying unauthorized access attempts.
Control assessments verify that access controls are implemented correctly and operating as intended, detecting improper access control before exploitation.
Requiring formal approval, documented controls, and responsibilities for inter-system exchanges directly enforces proper access control between systems.
Penetration testing simulates unauthorized access attempts, directly detecting and enabling remediation of improper access control weaknesses.