CVE-2021-36758: Input Validation
First published: Thu Jul 15 2021(Updated: )
1Password Connect server before 1.2 is missing validation checks, permitting users to create Secrets Automation access tokens that can be used to perform privilege escalation. Malicious users authorized to create Secrets Automation access tokens can create tokens that have access beyond what the user is authorized to access, but limited to the existing authorizations of the Secret Automation the token is created in.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| 1Password | <1.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2021-36758?
CVE-2021-36758 is considered a high severity vulnerability due to the potential for privilege escalation through unauthorized access tokens.
How do I fix CVE-2021-36758?
To fix CVE-2021-36758, update your 1Password Connect server to version 1.2 or later.
Who is affected by CVE-2021-36758?
CVE-2021-36758 affects users of the 1Password Connect server version prior to 1.2.
What are the consequences of CVE-2021-36758?
The consequences of CVE-2021-36758 include the potential for unauthorized users to create access tokens that allow privilege escalation.
Is there a workaround for CVE-2021-36758?
There is no specific workaround for CVE-2021-36758; the only resolution is to upgrade to a patched version.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/remedy
- agent/references
- agent/author
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/1password
- canonical/1password