Skip to main content

CVE-2021-38617: n/a in n/a

High
VulnerabilityCVE-2021-38617cvecve-2021-38617
Published: Tue Sep 07 2021 (09/07/2021, 11:18:00 UTC)
Source: CVE Database V5
Vendor/Project: n/a
Product: n/a

Description

In Eigen NLP 3.10.1, a lack of access control on the /auth/v1/user/ user creation endpoint allows a standard user to create a super user account with a defined password. This directly leads to privilege escalation.

AI-Powered Analysis

AILast updated: 07/08/2025, 15:31:02 UTC

Technical Analysis

CVE-2021-38617 is a critical security vulnerability identified in Eigen NLP version 3.10.1. The core issue stems from a lack of access control on the user creation endpoint located at /auth/v1/user/. This endpoint, intended for user creation, does not properly restrict access, allowing any authenticated standard user to create a new super user account by specifying a password. This vulnerability directly enables privilege escalation, as a low-privileged user can elevate their privileges to administrative or super user level without authorization. The vulnerability has a CVSS v3.1 score of 8.8, indicating a high severity level. The vector string (CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:U/UI:N) reveals that the attack requires low privileges (PR:L), no user interaction (UI:N), local network access (AV:N), and has high impact on confidentiality, integrity, and availability. Exploiting this flaw allows an attacker to gain full control over the affected system, potentially leading to unauthorized data access, system manipulation, and disruption of services. No public patches or vendor information are provided, and no known exploits in the wild have been reported as of the publication date. The vulnerability affects Eigen NLP, a natural language processing software, which may be integrated into various applications or services that rely on NLP capabilities.

Potential Impact

For European organizations utilizing Eigen NLP 3.10.1, this vulnerability poses a significant risk. The ability for a standard user to escalate privileges to super user level can lead to complete compromise of the NLP system and any connected infrastructure. This could result in unauthorized access to sensitive data processed or stored by the system, manipulation or deletion of critical data, and disruption of NLP-dependent services. Organizations in sectors such as finance, healthcare, government, and telecommunications—where NLP tools may be used for data analysis, customer interaction, or automated decision-making—are particularly vulnerable. The breach of confidentiality and integrity could lead to regulatory non-compliance under GDPR, resulting in legal and financial penalties. Moreover, the availability impact could disrupt business operations relying on NLP functionalities. Since the vulnerability requires only low privileges and no user interaction, insider threats or compromised standard accounts could easily exploit this flaw, increasing the risk profile for European enterprises.

Mitigation Recommendations

To mitigate CVE-2021-38617, European organizations should immediately audit their deployments of Eigen NLP 3.10.1 or any related versions to identify if the vulnerable endpoint /auth/v1/user/ is exposed and accessible. Restrict access to this endpoint by implementing strict access control mechanisms, such as role-based access control (RBAC), ensuring only authorized administrators can create super user accounts. If possible, disable or restrict the user creation endpoint until a vendor patch or update is available. Monitor logs for unusual user creation activities, especially the creation of accounts with elevated privileges. Employ network segmentation and firewall rules to limit access to the NLP service endpoints to trusted users and systems only. Additionally, enforce strong authentication and credential management policies to reduce the risk of compromised standard user accounts. If vendor patches or updates become available, prioritize their deployment. Finally, conduct regular security assessments and penetration testing focused on privilege escalation vectors within NLP and related systems.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2021-08-13T00:00:00.000Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6839d93e182aa0cae2b72fd3

Added to database: 5/30/2025, 4:13:50 PM

Last enriched: 7/8/2025, 3:31:02 PM

Last updated: 8/16/2025, 2:08:04 PM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats