Login Sign Up

CVE-2021-39174

8.8 HIGH

📋 TL;DR

CVE-2021-39174 allows authenticated users in Cachet status page systems to leak sensitive configuration values like application secrets and database passwords. This affects all authenticated users regardless of privilege level. The vulnerability enables attackers to escalate privileges and potentially achieve remote code execution.

💻 Affected Systems

Products:
  • Cachet
Versions: All versions prior to 2.5.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user access, but both regular users and admins are affected.

📦 What is this software?

Catchet by Catchethq

View all CVEs affecting Catchet →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via remote code execution using leaked APP_KEY, leading to data theft, service disruption, and lateral movement.

🟠

Likely Case

Sensitive configuration exposure including database credentials and email passwords, enabling privilege escalation and data exfiltration.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, though configuration exposure still poses risk.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.5.1

Vendor Advisory: https://github.com/fiveai/Cachet/security/advisories/GHSA-88f9-7xxh-c688

Restart Required: Yes

Instructions:

1. Backup your current installation. 2. Update to Cachet version 2.5.1 or later. 3. Restart the Cachet service. 4. Regenerate APP_KEY if it was potentially exposed.

🔧 Temporary Workarounds

Restrict Admin Dashboard Access

linux

Limit access to Cachet administration dashboard to trusted source IP addresses only

# Configure firewall rules to restrict access to Cachet admin interface
# Example: iptables -A INPUT -p tcp --dport 8000 -s TRUSTED_IP -j ACCEPT
# iptables -A INPUT -p tcp --dport 8000 -j DROP

🧯 If You Can't Patch

  • Implement strict network access controls to limit Cachet admin interface to trusted IPs only
  • Rotate all potentially exposed secrets including APP_KEY, database passwords, and email credentials

🔍 How to Verify

Check if Vulnerable:

Check Cachet version: if version is less than 2.5.1, system is vulnerable

Check Version:

php artisan --version

Verify Fix Applied:

Verify Cachet version is 2.5.1 or higher and test that configuration values cannot be leaked via authenticated requests

📡 Detection & Monitoring

Log Indicators:

  • Unusual configuration access patterns
  • Multiple failed authentication attempts followed by successful login
  • Requests to configuration endpoints from non-admin users

Network Indicators:

  • Traffic to Cachet admin endpoints from unexpected sources
  • Unusual outbound connections after configuration access

SIEM Query:

source="cachet.logs" AND (uri_path="/api/v1/config*" OR uri_path="/dashboard/config*") AND user_role!="admin"

📊 Metadata

CVE ID: CVE-2021-39174
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-75
Published: August 28, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39174, you might also want to check these:

CVE-2021-22910 9.8

A NoSQL injection vulnerability in Rocket.Chat server allows attackers to execute arbitrary database...

Same vulnerability type (CWE-75)
CVE-2021-22911 9.8

CVE-2021-22911 is an improper input sanitization vulnerability in Rocket.Chat that allows unauthenti...

Same vulnerability type (CWE-75)
CVE-2025-50213 9.8

This CVE describes a SQL injection vulnerability in Apache Airflow's Snowflake provider where unsani...

Same vulnerability type (CWE-75)