{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T14:08:10.475","vulnerabilities":[{"cve":{"id":"CVE-2021-32753","sourceIdentifier":"security-advisories@github.com","published":"2021-07-09T19:15:08.373","lastModified":"2024-11-21T06:07:40.413","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"EdgeX Foundry is an open source project for building a common open framework for internet-of-things edge computing. A vulnerability exists in the Edinburgh, Fuji, Geneva, and Hanoi versions of the software. When the EdgeX API gateway is configured for OAuth2 authentication and a proxy user is created, the client_id and client_secret required to obtain an OAuth2 authentication token are set to the username of the proxy user. A remote network attacker can then perform a dictionary-based password attack on the OAuth2 token endpoint of the API gateway to obtain an OAuth2 authentication token and use that token to make authenticated calls to EdgeX microservices from an untrusted network. OAuth2 is the default authentication method in EdgeX Edinburgh release. The default authentication method was changed to JWT in Fuji and later releases. Users should upgrade to the EdgeX Ireland release to obtain the fix. The OAuth2 authentication method is disabled in Ireland release. If unable to upgrade and OAuth2 authentication is required, users should create OAuth2 users directly using the Kong admin API and forgo the use of the `security-proxy-setup` tool to create OAuth2 users."},{"lang":"es","value":"EdgeX Foundry es un proyecto de código abierto para construir un framework abierto común para la computación de borde de la Internet de las cosas. Se presenta una vulnerabilidad en las versiones Edimburgo, Fuji, Ginebra y Hanoi del software. Cuando la puerta de enlace de la API EdgeX está configurada para la autenticación OAuth2 y es creado un usuario proxy, el client_id y el client_secret requeridos para obtener un token de autenticación OAuth2 se ajustan con el nombre de usuario del usuario proxy. Un atacante remoto de la red puede entonces llevar a cabo un ataque de contraseña basado en diccionario en el endpoint del token OAuth2 de la puerta de enlace de la API para obtener un token de autenticación OAuth2 y usar ese token para hacer llamadas autenticadas a los microservicios de EdgeX desde una red no confiable. OAuth2 es el método de autenticación predeterminado en la versión de EdgeX Edinburgh. El método de autenticación predeterminado fue cambiado a JWT en Fuji y versiones posteriores. Los usuarios deben actualizar a versión de EdgeX Ireland para obtener la corrección. El método de autenticación OAuth2 está deshabilitado en la versión Ireland. Si no se puede actualizar y es requerida la autenticación OAuth2, los usuarios deben crear usuarios OAuth2 directamente usando la API de Kong admin y renunciar al uso de la herramienta \"security-proxy-setup\" para crear usuarios OAuth2"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":3.7},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":2.5}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:N","baseScore":5.8,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":8.6,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-284"},{"lang":"en","value":"CWE-287"},{"lang":"en","value":"CWE-521"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-521"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:edgexfoundry:edgex_foundry:*:*:*:*:*:*:*:*","versionStartIncluding":"1.0.0","versionEndExcluding":"2.0.0","matchCriteriaId":"75F38141-9394-4C6F-9958-755DF1FE496A"}]}]}],"references":[{"url":"https://docs.konghq.com/hub/kong-inc/oauth2/#create-a-consumer","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://github.com/edgexfoundry/edgex-go/security/advisories/GHSA-xph4-vmcc-52gh","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://docs.konghq.com/hub/kong-inc/oauth2/#create-a-consumer","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://github.com/edgexfoundry/edgex-go/security/advisories/GHSA-xph4-vmcc-52gh","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}