Details of VAR-202102-1013

ID

VAR-202102-1013

CVE

CVE-2021-23885

TITLE

McAfee Web Gateway Vulnerability in privilege management

Trust: 0.8

sources: JVNDB: JVNDB-2021-004023

DESCRIPTION

Privilege escalation vulnerability in McAfee Web Gateway (MWG) prior to 9.2.8 allows an authenticated user to gain elevated privileges through the User Interface and execute commands on the appliance via incorrect improper neutralization of user input in the troubleshooting page. McAfee Web Gateway (MWG) Vulnerability in privilege managementInformation is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. McAfee Web Gateway is a high-performance secure Web gateway, using a unified device software architecture, with best-in-class threat protection. The vulnerability stems from the non-neutralization of user input in the troubleshooting page. Attackers can use this vulnerability to gain elevated privileges. There is no relevant information about this vulnerability at present. Please keep an eye on CNNVD or vendor announcements

Trust: 2.25

sources: NVD: CVE-2021-23885 // JVNDB: JVNDB-2021-004023 // CNVD: CNVD-2021-12635 // VULHUB: VHN-382568

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-12635

AFFECTED PRODUCTS

vendor:	mcafee	model:	web gateway	scope:	lt	version:	9.2.8	Trust: 1.6
vendor:	mcafee	model:	web gateway	scope:	lt	version:	8.2.17	Trust: 1.0
vendor:	mcafee	model:	web gateway	scope:	lt	version:	10.0.4	Trust: 1.0
vendor:	mcafee	model:	web gateway	scope:	gte	version:	9.2	Trust: 1.0
vendor:	mcafee	model:	web gateway	scope:	gte	version:	10.0	Trust: 1.0
vendor:	マカフィー	model:	mcafee web gateway ソフトウェア	scope:	eq	version:	-	Trust: 0.8
vendor:	マカフィー	model:	mcafee web gateway ソフトウェア	scope:	eq	version:	mcafee web gateway software 9.2.8	Trust: 0.8

sources: CNVD: CNVD-2021-12635 // JVNDB: JVNDB-2021-004023 // NVD: CVE-2021-23885

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-23885
value:	HIGH
Trust: 1.0
trellixpsirt@trellix.com:	CVE-2021-23885
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2021-23885
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2021-12635
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202102-1286
value:	HIGH
Trust: 0.6
VULHUB:	VHN-382568
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-23885
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2021-12635
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-382568
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-23885
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
trellixpsirt@trellix.com:	CVE-2021-23885
baseSeverity:	CRITICAL
baseScore:	9.0
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.3
impactScore:	6.0
version:	3.1
Trust: 1.0
NVD:	CVE-2021-23885
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-12635 // VULHUB: VHN-382568 // JVNDB: JVNDB-2021-004023 // CNNVD: CNNVD-202102-1286 // NVD: CVE-2021-23885 // NVD: CVE-2021-23885

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	CWE-269	Trust: 1.0
problemtype:	Improper authority management (CWE-269) [ Other ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-004023 // NVD: CVE-2021-23885

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202102-1286

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202102-1286

PATCH

title:	SB10349	url:	https://kc.mcafee.com/corporate/index?page=content&id=SB10349	Trust: 0.8
title:	Patch for McAfee Web Gateway (MWG) privilege escalation vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/249221	Trust: 0.6
title:	McAfee McAfee Web Gateway Fixes for permissions and access control issues vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=142659	Trust: 0.6

sources: CNVD: CNVD-2021-12635 // JVNDB: JVNDB-2021-004023 // CNNVD: CNNVD-202102-1286

EXTERNAL IDS

db:	NVD	id:	CVE-2021-23885	Trust: 3.1
db:	MCAFEE	id:	SB10349	Trust: 1.7
db:	JVNDB	id:	JVNDB-2021-004023	Trust: 0.8
db:	CNNVD	id:	CNNVD-202102-1286	Trust: 0.7
db:	CNVD	id:	CNVD-2021-12635	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.0603	Trust: 0.6
db:	VULHUB	id:	VHN-382568	Trust: 0.1

sources: CNVD: CNVD-2021-12635 // VULHUB: VHN-382568 // JVNDB: JVNDB-2021-004023 // CNNVD: CNNVD-202102-1286 // NVD: CVE-2021-23885

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2021-23885	Trust: 2.0
url:	https://kc.mcafee.com/corporate/index?page=content&id=sb10349	Trust: 1.6
url:	https://vigilance.fr/vulnerability/mcafee-web-gateway-privilege-escalation-via-troubleshooting-page-34602	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.0603	Trust: 0.6
url:	https://kc.mcafee.com/corporate/index?page=content&id=sb10349	Trust: 0.1

sources: CNVD: CNVD-2021-12635 // VULHUB: VHN-382568 // JVNDB: JVNDB-2021-004023 // CNNVD: CNNVD-202102-1286 // NVD: CVE-2021-23885

SOURCES

db:	CNVD	id:	CNVD-2021-12635
db:	VULHUB	id:	VHN-382568
db:	JVNDB	id:	JVNDB-2021-004023
db:	CNNVD	id:	CNNVD-202102-1286
db:	NVD	id:	CVE-2021-23885

LAST UPDATE DATE

2024-11-23T22:40:47.451000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-12635	date:	2021-02-25T00:00:00
db:	VULHUB	id:	VHN-382568	date:	2022-04-26T00:00:00
db:	JVNDB	id:	JVNDB-2021-004023	date:	2021-11-12T04:57:00
db:	CNNVD	id:	CNNVD-202102-1286	date:	2022-04-27T00:00:00
db:	NVD	id:	CVE-2021-23885	date:	2024-11-21T05:52:00.190

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-12635	date:	2021-02-25T00:00:00
db:	VULHUB	id:	VHN-382568	date:	2021-02-17T00:00:00
db:	JVNDB	id:	JVNDB-2021-004023	date:	2021-11-12T00:00:00
db:	CNNVD	id:	CNNVD-202102-1286	date:	2021-02-17T00:00:00
db:	NVD	id:	CVE-2021-23885	date:	2021-02-17T10:15:12.647