CVE-2021-3914

It was found that the smallrye health metrics UI component did not properly sanitize some user inputs. An attacker could use this flaw to conduct cross-site scripting attacks.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://access.redhat.com/security/cve/CVE-2021-3914	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2018015	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:build_of_quarkus::::::::
	cpe:2.3:a:redhat:build_of_quarkus:-::::text-only:::
	cpe:2.3:a:redhat:openshift_application_runtimes:1.0:::::::*
	cpe:2.3:a:redhat:smallrye_health:-:::::::*

History

No history.

Information

Published : 2022-08-25 20:15

Updated : 2024-02-28 19:29

NVD link : CVE-2021-3914

Mitre link : CVE-2021-3914

CVE.ORG link : CVE-2021-3914

JSON object : View

Products Affected

redhat

openshift_application_runtimes
smallrye_health
build_of_quarkus

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2021-3914", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2022-08-25T20:15:09.363", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2021-3914", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2018015", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "It was found that the smallrye health metrics UI component did not properly sanitize some user inputs. An attacker could use this flaw to conduct cross-site scripting attacks."}, {"lang": "es", "value": "Se ha detectado que el componente de la interfaz de usuario de smallrye health metrics no sanea correctamente algunas entradas del usuario. Un atacante podr\u00eda usar este fallo para conducir ataques de tipo cross-site scripting."}], "lastModified": "2022-09-02T13:07:32.830", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:build_of_quarkus:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E0B7F662-E62B-41CB-8984-E3C3063B0B03", "versionEndExcluding": "2.7.5"}, {"criteria": "cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:text-only:*:*:*", "vulnerable": true, "matchCriteriaId": "C4724F20-5376-4FB0-8DFA-A75004E2F60D"}, {"criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "183C1FAB-3101-4155-BAA4-819EE997E436"}, {"criteria": "cpe:2.3:a:redhat:smallrye_health:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A978C871-E4D4-4622-B14F-4D92928679C7"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}