CVE-2021-37102

There is a command injection vulnerability in CMA service module of FusionCompute product when processing the default certificate file. The software constructs part of a command using external special input from users, but the software does not sufficiently validate the user input. Successful exploit could allow the attacker to inject certain commands to the system. Affected product versions include: FusionCompute 6.0.0, 6.3.0, 6.3.1, 6.5.0, 6.5.1, 8.0.0.

CVSS v3 8.8 HIGH
CVSS v2.0 9.0 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

9.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:S/C:C/I:C/A:C

Exploitability : 8.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210922-01-cmd-en	Vendor Advisory
https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210922-01-cmd-en	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:huawei:fusioncompute:6.0.0:::::::*
	cpe:2.3:a:huawei:fusioncompute:6.3.0:::::::*
	cpe:2.3:a:huawei:fusioncompute:6.3.1:::::::*
	cpe:2.3:a:huawei:fusioncompute:6.5.0:::::::*
	cpe:2.3:a:huawei:fusioncompute:6.5.1:::::::*
	cpe:2.3:a:huawei:fusioncompute:8.0.0:::::::*

History

21 Nov 2024, 06:14

Type	Values Removed	Values Added
References	~~() https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210922-01-cmd-en - Vendor Advisory~~	() https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210922-01-cmd-en - Vendor Advisory

Information

Published : 2021-11-23 16:15

Updated : 2024-11-21 06:14

NVD link : CVE-2021-37102

Mitre link : CVE-2021-37102

CVE.ORG link : CVE-2021-37102

JSON object : View

Products Affected

huawei

fusioncompute

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

{"id": "CVE-2021-37102", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "authentication": "SINGLE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2021-11-23T16:15:09.980", "references": [{"url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210922-01-cmd-en", "tags": ["Vendor Advisory"], "source": "psirt@huawei.com"}, {"url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210922-01-cmd-en", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-77"}]}], "descriptions": [{"lang": "en", "value": "There is a command injection vulnerability in CMA service module of FusionCompute product when processing the default certificate file. The software constructs part of a command using external special input from users, but the software does not sufficiently validate the user input. Successful exploit could allow the attacker to inject certain commands to the system. Affected product versions include: FusionCompute 6.0.0, 6.3.0, 6.3.1, 6.5.0, 6.5.1, 8.0.0."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de inyecci\u00f3n de comandos en el m\u00f3dulo de servicio CMA del producto FusionCompute cuando es procesado el archivo de certificado predeterminado. El software construye parte de un comando usando una entrada especial externa de usuarios, pero el software no comprueba suficientemente la entrada del usuario. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante inyectar determinados comandos en el sistema. Las versiones del producto afectadas son: FusionCompute versiones 6.0.0, 6.3.0, 6.3.1, 6.5.0, 6.5.1, 8.0.0"}], "lastModified": "2024-11-21T06:14:39.203", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:huawei:fusioncompute:6.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A044DA05-E139-4572-8562-09A4A54E8D0B"}, {"criteria": "cpe:2.3:a:huawei:fusioncompute:6.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "319C5290-36D1-4A96-80D3-18978161557D"}, {"criteria": "cpe:2.3:a:huawei:fusioncompute:6.3.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9EFA1D96-F198-4424-8F5A-1C7DFF3F42AE"}, {"criteria": "cpe:2.3:a:huawei:fusioncompute:6.5.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EB149F98-77DF-40C3-A307-21D7B9BCB6DA"}, {"criteria": "cpe:2.3:a:huawei:fusioncompute:6.5.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "916284A3-6895-4F2C-9426-240F4EB7336F"}, {"criteria": "cpe:2.3:a:huawei:fusioncompute:8.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5D251AD0-6227-4190-815F-B526F40D8A43"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@huawei.com"}