CVE-2021-21276 – CVE-2021-21276 is a critical authentication byp... (How to Fix)

Q: What is the severity of CVE-2021-21276?

CVE-2021-21276 has a CVSS score of 9.3 (CRITICAL). CVE-2021-21276 is a critical authentication bypass vulnerability in Polr URL shortener that allows unauthenticated attackers to gain administrative access by exploiting a loose comparison flaw in the setup process. All Polr instances running versions before 2.3.0 are affected regardless of configuration settings. Attackers can craft malicious requests to the /setup/finish endpoint to take over the admin account.

📋 TL;DR

CVE-2021-21276 is a critical authentication bypass vulnerability in Polr URL shortener that allows unauthenticated attackers to gain administrative access by exploiting a loose comparison flaw in the setup process. All Polr instances running versions before 2.3.0 are affected regardless of configuration settings. Attackers can craft malicious requests to the /setup/finish endpoint to take over the admin account.

💻 Affected Systems

Products:

Polr URL Shortener

Versions: All versions before 2.3.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists regardless of configuration settings. All instances with setup endpoint accessible are vulnerable.

📦 What is this software?

Polr by Polrproject

View all CVEs affecting Polr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Polr instance with attacker gaining full administrative control, allowing them to modify all shortened URLs, steal analytics data, redirect legitimate traffic to malicious sites, and potentially pivot to other systems.

🟠

Likely Case

Attackers gain admin access and use the platform for phishing campaigns by modifying existing shortened URLs to point to malicious destinations, compromising all users who click on previously trusted links.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to the Polr instance itself, though administrative control loss still represents significant business risk.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires crafting specific cookie headers to the /setup/finish endpoint. Public exploit code is available in Packet Storm references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.0

Vendor Advisory: https://github.com/cydrobolt/polr/security/advisories/GHSA-vg6w-8w9v-xxqc

Restart Required: Yes

Instructions:

1. Upgrade to Polr version 2.3.0 or later. 2. Replace loose comparison (==) with strict comparison (===) in SetupController.php. 3. Ensure /setup/finish verifies no users table exists before performing migrations or provisioning accounts.

🔧 Temporary Workarounds

Manual code patch without upgrade

all

Add abort(404) to the first line of finishSetup function in SetupController.php to block exploitation

Edit SetupController.php and add 'abort(404);' as the first line in the finishSetup function

Block setup endpoint access

linux

Restrict access to /setup/* endpoints via web server configuration or firewall rules

# Apache: <Location "/setup/"> Require all denied </Location>
# Nginx: location /setup/ { deny all; }

🧯 If You Can't Patch

Immediately restrict network access to Polr instance using firewall rules to limit exposure
Implement strict monitoring on /setup/finish endpoint access and alert on any requests to this path

🔍 How to Verify

Check if Vulnerable:

Check if Polr version is below 2.3.0 and if /setup/finish endpoint is accessible without proper authentication

Check Version:

Check Polr version in admin panel or examine composer.json file

Verify Fix Applied:

Verify Polr version is 2.3.0 or higher, and test that /setup/finish endpoint properly validates setup key with strict comparison

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /setup/finish endpoint with crafted cookie headers
Unusual admin account creation or login events

Network Indicators:

POST requests to /setup/finish with specific cookie patterns
Unusual traffic patterns following setup endpoint access

SIEM Query:

source="web_server" AND (url_path="/setup/finish" OR user_agent CONTAINS "polr")

📊 Metadata

CVE ID: CVE-2021-21276

CVSS v3 Score: 9.3 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

CWE: CWE-863

Published: February 1, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/171743/POLR-URL-2.3.0-Shortener-Admin-Takeover.html
https://github.com/cydrobolt/polr/commit/b1981709908caf6069b4a29dad3b6739c322c675 Patch,Third Party Advisory
https://github.com/cydrobolt/polr/releases/tag/2.3.0 Release Notes,Third Party Advisory
https://github.com/cydrobolt/polr/security/advisories/GHSA-vg6w-8w9v-xxqc Third Party Advisory
http://packetstormsecurity.com/files/171743/POLR-URL-2.3.0-Shortener-Admin-Takeover.html
https://github.com/cydrobolt/polr/commit/b1981709908caf6069b4a29dad3b6739c322c675 Patch,Third Party Advisory
https://github.com/cydrobolt/polr/releases/tag/2.3.0 Release Notes,Third Party Advisory
https://github.com/cydrobolt/polr/security/advisories/GHSA-vg6w-8w9v-xxqc Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21276, you might also want to check these: