CVE-2019-14537
published 2019-08-07CVE-2019-14537: YOURLS through 1.7.3 is affected by a type juggling vulnerability in the api component that can result in login bypass.
PriorityP260critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
6.14%
92.6th percentile
YOURLS through 1.7.3 is affected by a type juggling vulnerability in the api component that can result in login bypass.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| yourls | yourls | <= 1.7.3 | — |
| yourls | yourls | >= 0 < 1.7.4 | 1.7.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is a PHP type juggling issue in the YOURLS API authentication component, allowing login bypass. Detection should focus on API authentication requests that exploit loose type comparison (e.g., passing a non-string value for the password/signature parameter). ↗
- →A public PoC exploit exists at https://github.com/Wocanilo/CVE-2019-14537 which can be used to understand the attack pattern and craft detection signatures for YOURLS API authentication bypass attempts. ↗
- →Monitor YOURLS API endpoints for authentication requests containing type-juggling payloads (e.g., numeric or boolean values in password/signature fields instead of strings), particularly against versions up to and including 1.7.3. ↗
- ·The fix was introduced in YOURLS commits after 1.7.3; refer to the upstream pull request and releases for the exact patched version. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Access of Resource Using Incompatible Type ('Type Confusion') in yourls/yourls
ghsa·2019-09-23·CVSS 9.8
CVE-2019-14537 [CRITICAL] CWE-843 Access of Resource Using Incompatible Type ('Type Confusion') in yourls/yourls
Access of Resource Using Incompatible Type ('Type Confusion') in yourls/yourls
## Type juggling vulnerability in the API
### Impact
YOURLS through 1.7.3 is affected by a type juggling vulnerability in the API component that can result in login bypass.
### Patches
https://github.com/YOURLS/YOURLS/releases/tag/1.7.4
https://github.com/YOURLS/YOURLS/pull/2542
### References
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14537
* https://github.com/Wocanilo/CVE-2019-14537
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [YOURLS repository](https://github.com/YOURLS/YOURLS)
OSV
Access of Resource Using Incompatible Type ('Type Confusion') in yourls/yourls
osv·2019-09-23·CVSS 9.8
CVE-2019-14537 [CRITICAL] Access of Resource Using Incompatible Type ('Type Confusion') in yourls/yourls
Access of Resource Using Incompatible Type ('Type Confusion') in yourls/yourls
## Type juggling vulnerability in the API
### Impact
YOURLS through 1.7.3 is affected by a type juggling vulnerability in the API component that can result in login bypass.
### Patches
https://github.com/YOURLS/YOURLS/releases/tag/1.7.4
https://github.com/YOURLS/YOURLS/pull/2542
### References
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14537
* https://github.com/Wocanilo/CVE-2019-14537
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [YOURLS repository](https://github.com/YOURLS/YOURLS)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-14537 yourls: juggling vulnerability in api component leads tp login bypass [epel-all]
bugzilla·2019-09-05·CVSS 9.8
CVE-2019-14537 [CRITICAL] CVE-2019-14537 yourls: juggling vulnerability in api component leads tp login bypass [epel-all]
CVE-2019-14537 yourls: juggling vulnerability in api component leads tp login bypass [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple su
Bugzilla
CVE-2019-14537 yourls: juggling vulnerability in api component leads tp login bypass
bugzilla·2019-09-05·CVSS 9.8
CVE-2019-14537 [CRITICAL] CVE-2019-14537 yourls: juggling vulnerability in api component leads tp login bypass
CVE-2019-14537 yourls: juggling vulnerability in api component leads tp login bypass
A vulnerability was found in YOURLS through 1.7.3 is affected by a type juggling vulnerability in the api component that can result in login bypass.
Reference:
https://github.com/Wocanilo/CVE-2019-14537
https://github.com/YOURLS/YOURLS/commits/master
https://github.com/YOURLS/YOURLS/pull/2542
https://github.com/YOURLS/YOURLS/releases
https://security-garage.com/index.php/cves/cve-2019-14537-api-authentication-bypass-via-type-juggling
Discussion:
Created yourls tracking bugs for this issue:
Affects: epel-all [bug 1749172]
Affects: fedora-all [bug 1749171]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Ha
Bugzilla
CVE-2019-14537 yourls: juggling vulnerability in api component leads tp login bypass [fedora-all]
bugzilla·2019-09-05·CVSS 9.8
CVE-2019-14537 [CRITICAL] CVE-2019-14537 yourls: juggling vulnerability in api component leads tp login bypass [fedora-all]
CVE-2019-14537 yourls: juggling vulnerability in api component leads tp login bypass [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multipl
https://github.com/Wocanilo/CVE-2019-14537https://github.com/YOURLS/YOURLS/commits/masterhttps://github.com/YOURLS/YOURLS/pull/2542https://github.com/YOURLS/YOURLS/releaseshttps://security-garage.com/index.php/cves/cve-2019-14537-api-authentication-bypass-via-type-jugglinghttps://github.com/Wocanilo/CVE-2019-14537https://github.com/YOURLS/YOURLS/commits/masterhttps://github.com/YOURLS/YOURLS/pull/2542https://github.com/YOURLS/YOURLS/releaseshttps://security-garage.com/index.php/cves/cve-2019-14537-api-authentication-bypass-via-type-juggling
2019-08-07
Published