CVE-2021-42192 – CVE-2021-42192 is an incorrect access control v... (How to Fix)

Q: What is the severity of CVE-2021-42192?

CVE-2021-42192 has a CVSS score of 8.8 (HIGH). CVE-2021-42192 is an incorrect access control vulnerability in Konga v0.14.9 that allows authenticated users to escalate privileges to admin level through specially crafted requests. This affects all Konga installations running the vulnerable version. Attackers can gain full administrative control over the Kong API gateway management interface.

📋 TL;DR

CVE-2021-42192 is an incorrect access control vulnerability in Konga v0.14.9 that allows authenticated users to escalate privileges to admin level through specially crafted requests. This affects all Konga installations running the vulnerable version. Attackers can gain full administrative control over the Kong API gateway management interface.

💻 Affected Systems

Products:

Konga

Versions: v0.14.9 and earlier

Operating Systems: All platforms running Konga

Default Config Vulnerable: ⚠️ Yes

Notes: All Konga deployments using the vulnerable version are affected regardless of configuration.

📦 What is this software?

Konga by Konga Project

View all CVEs affecting Konga →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Kong API gateway management, allowing attackers to reconfigure API routes, expose sensitive data, disrupt services, and potentially pivot to backend systems.

🟠

Likely Case

Unauthorized administrative access leading to API gateway configuration changes, service disruption, and potential data exposure.

🟢

If Mitigated

Limited impact if proper network segmentation, authentication controls, and monitoring are in place to detect unusual administrative activity.

🌐 Internet-Facing: HIGH - Konga is typically deployed as a web interface for Kong API gateway management, often exposed to internal or external networks.

🏢 Internal Only: HIGH - Even internally deployed instances are at risk from insider threats or compromised internal accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authenticated user access but is trivial to execute once authenticated. Public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.14.10 and later

Vendor Advisory: https://github.com/pantsel/konga/commit/d61535277aced18b5be0313ab2d124f60f649978

Restart Required: Yes

Instructions:

1. Backup current Konga configuration and data. 2. Update Konga to version 0.14.10 or later. 3. Restart Konga service. 4. Verify the fix by checking version and testing privilege escalation attempts.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to Konga interface to only trusted IP addresses or VPN users.

Use firewall rules (e.g., iptables, AWS Security Groups, Azure NSG) to limit access

Enhanced Authentication

all

Implement additional authentication layers like IP whitelisting, VPN access, or multi-factor authentication.

Configure Konga behind reverse proxy with additional auth (e.g., nginx auth_basic, OAuth proxy)

🧯 If You Can't Patch

Implement strict network segmentation and limit Konga access to only necessary administrative users
Enable detailed logging and monitoring for privilege escalation attempts and unusual administrative activities

🔍 How to Verify

Check if Vulnerable:

Check Konga version via web interface or by examining the running container/process. Version 0.14.9 or earlier is vulnerable.

Check Version:

Check Konga web interface footer or API endpoint, or run: docker inspect konga_container | grep -i version

Verify Fix Applied:

After updating, verify version is 0.14.10 or later. Test with authenticated non-admin user attempting privilege escalation - should fail.

📡 Detection & Monitoring

Log Indicators:

Unusual user privilege changes
Multiple failed admin access attempts from non-admin users
User role modification logs showing escalation

Network Indicators:

HTTP POST requests to user/role modification endpoints from non-admin accounts
Unusual API calls to administrative endpoints

SIEM Query:

source="konga" AND (event="user_role_change" OR event="privilege_escalation" OR status="403" AND path="/api/user/*")

📊 Metadata

CVE ID: CVE-2021-42192

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-863

Published: May 4, 2022

Last Updated: November 21, 2024

🔗 References

https://docs.google.com/document/d/1-YU9zWiDVUps3Mb6zos3996yvZ48vW_vfOvaJLLHc4I/edit?usp=sharing Exploit,Third Party Advisory
https://github.com/pantsel/konga/ Product,Third Party Advisory
https://github.com/pantsel/konga/commit/d61535277aced18b5be0313ab2d124f60f649978
https://github.com/whokilleddb/Konga-Privilege-Escalation-Exploit Exploit,Third Party Advisory
https://www.exploit-db.com/exploits/50521 Exploit,Third Party Advisory,VDB Entry
https://docs.google.com/document/d/1-YU9zWiDVUps3Mb6zos3996yvZ48vW_vfOvaJLLHc4I/edit?usp=sharing Exploit,Third Party Advisory
https://github.com/pantsel/konga/ Product,Third Party Advisory
https://github.com/pantsel/konga/commit/d61535277aced18b5be0313ab2d124f60f649978
https://github.com/whokilleddb/Konga-Privilege-Escalation-Exploit Exploit,Third Party Advisory
https://www.exploit-db.com/exploits/50521 Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42192, you might also want to check these: