cbcvebase.
CVE-2021-21276
published 2021-02-01

CVE-2021-21276: Polr is an open source URL shortener. in Polr before version 2.3.0, a vulnerability in the setup process allows attackers to gain admin access to site…

PriorityP267critical9.3CVSS 3.1
AVNACLPRNUINSCCHILAN
EXPLOIT
EPSS
7.16%
93.5th percentile
Polr is an open source URL shortener. in Polr before version 2.3.0, a vulnerability in the setup process allows attackers to gain admin access to site instances, even if they do not possess an existing account. This vulnerability exists regardless of users' settings. If an attacker crafts a request with specific cookie headers to the /setup/finish endpoint, they may be able to obtain admin privileges on the instance. This is caused by a loose comparison (==) in SetupController that is susceptible to attack. The project has been patched to ensure that a strict comparison (===) is used to verify the setup key, and that /setup/finish verifies that no users table exists before performing any migrations or provisioning any new accounts. This is fixed in version 2.3.0. Users can patch this vulnerability without upgrading by adding abort(404) to the very first line of finishSetup in SetupController.php.

Affected

2 ranges
VendorProductVersion rangeFixed in
cydroboltpolr< 2.3.02.3.0
polrprojectpolr< 2.3.02.3.0

Detection & IOCsextracted from sources · hover to see the quote

url/setup/finish
cookiesetup_arguments={"acct_username": "admin", "acct_password": "password", "acct_email": "[email protected]", "setup_auth_key": true}
pathSetupController.php
  • Monitor for HTTP GET requests to the /setup/finish endpoint on Polr instances, especially when a 'setup_arguments' cookie is present in the request — this is the attack vector for admin takeover.
  • Alert on requests to /setup/finish that include a JSON-encoded 'setup_arguments' cookie containing 'setup_auth_key': true (boolean true), which exploits the loose comparison (==) vulnerability in SetupController.
  • The root cause is a loose comparison (==) in SetupController used to verify the setup key; look for exploitation attempts where setup_auth_key is set to a truthy non-string value (e.g., boolean true) rather than the correct string key.
  • ·The vulnerability exists regardless of instance configuration or whether existing user accounts are present — all Polr instances prior to 2.3.0 are affected.

CVSS provenance

nvdv3.19.3CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.