CVE-2021-31590
CVE-2021-31590 is a high-severity vulnerability in Pwndoc Project Pwndoc with a CVSS 3.x base score of 8.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low.
Key facts
- Severity: High (CVSS 3.x base score 8.8)
- CVSS v2: 9.0
- EPSS exploit prediction: 3% (84th percentile)
- Actively exploited: Not listed in CISA KEV
- Affected product: Pwndoc Project Pwndoc
- Published:
- Last modified:
Description
PwnDoc all versions until 0.4.0 (2021-08-23) has incorrect JSON Webtoken handling, leading to incorrect access control. With a valid JSON Webtoken that is used for authentication and authorization, a user can keep his admin privileges even if he is downgraded to the "user" privilege. Even after a user's account is deleted, the user can still access the administration panel (and add or delete users) and has complete access to the system.
Frequently asked questions
- What is CVE-2021-31590?
- PwnDoc all versions until 0.4.0 (2021-08-23) has incorrect JSON Webtoken handling, leading to incorrect access control. With a valid JSON Webtoken that is used for authentication and authorization, a user can keep his admin privileges even if he is downgraded to the "user" privilege. Even after a user's account is deleted, the user can still access the administration panel (and add or delete users) and has complete access to the system.
- How severe is CVE-2021-31590?
- CVE-2021-31590 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2021-31590 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 3% (84th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2021-31590?
- CVE-2021-31590 affects Pwndoc Project Pwndoc. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2021-31590?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2021-31590 published?
- CVE-2021-31590 was published on 2021-07-19 and last updated on 2026-06-17.
References
- https://github.com/pwndoc/pwndoc/blob/59519735b0d831d8fd96d7c3387f66d28407e583/CHANGELOG.md#040-2021-08-23
- https://github.com/pwndoc/pwndoc/commit/15f3dc0e212eda465e05fda0feb002d1bce2939d
- https://github.com/pwndoc/pwndoc/commit/ff1b868cec55f5b6c7a91e15a2b0b1f4324121ab
- https://github.com/pwndoc/pwndoc/pull/128
- https://github.com/pwndoc/pwndoc/pull/74
- https://github.com/pwndoc/pwndoc/security/advisories
- https://www.dgc.org/responsible_disclosure_pwndoc_jwt
Affected products (1)
- cpe:2.3:a:pwndoc_project:pwndoc:*:*:*:*:*:*:*:*
More vulnerabilities in Pwndoc Project Pwndoc
- CVE-2022-45771 — High (CVSS 8.8): An issue in the /api/audits component of Pwndoc v0.5.3 allows attackers to escalate privileges and execute arbitrary…
- CVE-2024-55602 — High (CVSS 7.6): PwnDoc is a penetration test report generator. Prior to commit 1d4219c596f4f518798492e48386a20c6e9a2fe6, an…
- CVE-2025-23044 — Medium (CVSS 6.8): PwnDoc is a penetration test report generator. There is no CSRF protection in pwndoc, allowing attackers to send…
- CVE-2025-27413 — Medium (CVSS 6.5): PwnDoc is a penetration test reporting application. Prior to version 1.2.0, the backup restore functionality allows an…
- CVE-2025-27410 — Medium (CVSS 6.5): PwnDoc is a penetration test reporting application. Prior to version 1.2.0, the backup restore functionality is…
- CVE-2024-55653 — Medium (CVSS 6.5): PwnDoc is a penetration test report generator. In versions up to and including 0.5.3, an authenticated user is able to…