CVE-2021-38384
Access Control vulnerability in serverless-offline (npm)
What is CVE-2021-38384 About?
Serverless Offline 8.0.0 exhibits a discrepancy in HTTP status codes for routes with trailing slashes compared to AWS, potentially leading to incorrect access control implementations. This misalignment could result in a developer granting greater permissions than intended due to a false sense of security during local testing. Exploitation ease depends on a developer misinterpreting this behavior and deploying an insecure configuration.
Affected Software
Technical Details
The vulnerability stems from a behavioral inconsistency between Serverless Offline version 8.0.0 and the actual Amazon AWS environment regarding routes with trailing / characters. Specifically, Serverless Offline returns a 403 HTTP status code (Forbidden) for such routes, implying access control is correctly enforced or denied. However, the exact same route in the Amazon AWS environment returns a 200 HTTP status code (OK). This divergence in behavior can mislead developers during local testing, causing them to believe that Serverless Offline is correctly blocking access or applying specific access controls when, in reality, the live AWS environment would permit access. This discrepancy might lead developers to incorrectly implement or validate access control policies, inadvertently allowing greater permissions than intended once deployed to AWS.
What is the Impact of CVE-2021-38384?
Successful exploitation may allow attackers to bypass intended access restrictions, leading to unauthorized access to resources, sensitive data exposure, or execution of privileged operations.
What is the Exploitability of CVE-2021-38384?
Exploitation relies on a developer using Serverless Offline for local testing and then misinterpreting its behavior regarding trailing slashes in routes, leading to an insecure deployment in AWS. No specific authentication or privilege is required for the attacker at the point of exploitation, as it targets a deployed misconfiguration. The vulnerability is 'remote' in the sense that the misconfigured AWS resource can be accessed over the network. The primary condition is the developer's oversight due to the testing tool's misleading behavior. Risk factors include developers relying solely on Serverless Offline for testing access control, especially for edge cases like trailing slashes, and lack of thorough testing in a production-like AWS environment.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-38384?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
What are Similar Vulnerabilities to CVE-2021-38384?
Similar Vulnerabilities: CVE-2020-13936 , CVE-2019-10651 , CVE-2022-29215 , CVE-2021-27806 , CVE-2022-34169
