CVE-2021-32691 – CVE-2021-32691 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2021-32691?

CVE-2021-32691 has a CVSS score of 8.8 (HIGH). CVE-2021-32691 is an authentication bypass vulnerability in Apollos Apps where new user registrations can access any user's account using only basic profile information like name, birthday, and gender. This allows attackers to impersonate other users and access all app functionality and authenticated webpages. All Apollos Apps installations prior to version 2.20.0 are affected.

📋 TL;DR

CVE-2021-32691 is an authentication bypass vulnerability in Apollos Apps where new user registrations can access any user's account using only basic profile information like name, birthday, and gender. This allows attackers to impersonate other users and access all app functionality and authenticated webpages. All Apollos Apps installations prior to version 2.20.0 are affected.

💻 Affected Systems

Products:

Apollos Apps

Versions: All versions prior to 2.20.0

Operating Systems: All platforms running Apollos Apps

Default Config Vulnerable: ⚠️ Yes

Notes: This affects the core authentication mechanism, so all deployments using vulnerable versions are affected regardless of configuration.

📦 What is this software?

Data Connector Rock by Apollosapp

View all CVEs affecting Data Connector Rock →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full access to all user accounts, including administrative functions, financial transactions (giving), and sensitive personal data, potentially leading to financial fraud, data theft, and complete system compromise.

🟠

Likely Case

Unauthorized access to user accounts leading to privacy violations, manipulation of user data, and potential abuse of app functionality like event registrations or communications.

🟢

If Mitigated

With proper authentication controls, users can only access their own accounts, maintaining proper access boundaries and data confidentiality.

🌐 Internet-Facing: HIGH - Apollos Apps are typically deployed as internet-facing applications for church communities, making them directly accessible to attackers.

🏢 Internal Only: MEDIUM - Even if deployed internally, the vulnerability could be exploited by malicious insiders or through compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires only basic profile information that may be publicly available or easily guessed, making exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.20.0

Vendor Advisory: https://github.com/ApollosProject/apollos-apps/security/advisories/GHSA-r578-pj6f-r4ff

Restart Required: Yes

Instructions:

1. Update Apollos Apps to version 2.20.0 or later. 2. Apply the patch from commit cb5f8f1c0b24f1b215b2bb5eb6f9a8e16d728ce2. 3. Restart the application server. 4. Verify the People class create method has proper authentication checks.

🔧 Temporary Workarounds

Override People class create method

all

Manually patch the server by overriding the create data source method on the People class to add proper authentication checks before allowing account access.

Implement custom authentication logic in the People.create method to verify user identity beyond basic profile information

🧯 If You Can't Patch

Implement additional authentication layers such as multi-factor authentication or IP-based restrictions
Monitor user account activity logs for suspicious access patterns and implement alerting

🔍 How to Verify

Check if Vulnerable:

Check if Apollos Apps version is below 2.20.0. Test if new user registration with basic profile information can access existing user accounts.

Check Version:

Check package.json or application configuration for Apollos Apps version

Verify Fix Applied:

Verify version is 2.20.0 or higher. Test that user registration with only basic profile information cannot access other user accounts.

📡 Detection & Monitoring

Log Indicators:

Multiple account access attempts with similar profile information
User accounts accessed from unusual locations or devices
Failed authentication attempts followed by successful access with minimal credentials

Network Indicators:

Unusual patterns of API calls to user authentication endpoints
Multiple registration attempts from single IP addresses

SIEM Query:

source="apollos-logs" AND (event="user_access" OR event="registration") AND (user_id!=authenticated_user OR minimal_credentials_used=true)

📊 Metadata

CVE ID: CVE-2021-32691

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-303

Published: June 16, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/ApollosProject/apollos-apps/commit/cb5f8f1c0b24f1b215b2bb5eb6f9a8e16d728ce2 Patch,Third Party Advisory
https://github.com/ApollosProject/apollos-apps/releases/tag/v2.20.0 Patch,Third Party Advisory
https://github.com/ApollosProject/apollos-apps/security/advisories/GHSA-r578-pj6f-r4ff Mitigation,Third Party Advisory
https://github.com/ApollosProject/apollos-apps/commit/cb5f8f1c0b24f1b215b2bb5eb6f9a8e16d728ce2 Patch,Third Party Advisory
https://github.com/ApollosProject/apollos-apps/releases/tag/v2.20.0 Patch,Third Party Advisory
https://github.com/ApollosProject/apollos-apps/security/advisories/GHSA-r578-pj6f-r4ff Mitigation,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32691, you might also want to check these: