Back to KEVs

CVE-2021-40875

Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the...

Basic Information

CVE State
PUBLISHED
Reserved Date
September 13, 2021
Published Date
September 22, 2021
Last Updated
August 04, 2024
Vendor
n/a
Product
n/a
Description
Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.
Tags
nuclei_scanner

CVSS Scores

CVSS v3.1

7.5 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2.0

5.0

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploit Status

Exploited in the Wild
Yes (2025-09-16 00:00:00 UTC) Source

References

https://www.gurock.com/testrail/tour/enterprise-edition https://johnjhacking.com/blog/cve-2021-40875/ https://github.com/SakuraSamuraii/derailed http://packetstormsecurity.com/files/164270/Gurock-Testrail-7.2.0.3014-Improper-Access-Control.html

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-09-16 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-40875.yaml 2025-04-25 00:00:00 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Detected by Nuclei

  • Added to KEVIntel