Sign-up

ID

VAR-202104-1355


CVE

CVE-2021-28204


TITLE

plural  ASUS  Product   In  OS  Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-005354

DESCRIPTION

The specific function in ASUS BMC’s firmware Web management page (Modify user’s information function) does not filter the specific parameter. As obtaining the administrator permission, remote attackers can launch command injection to execute command arbitrary. plural ASUS Product Has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. ASUS BMC Firmware is a firmware of ASUS Corporation of China

Trust: 2.25

sources: NVD: CVE-2021-28204 // JVNDB: JVNDB-2021-005354 // CNVD: CNVD-2021-36013 // VULMON: CVE-2021-28204

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-36013

AFFECTED PRODUCTS

vendor:asusmodel:z10pr-d16scope:eqversion:1.14.51

Trust: 1.0

vendor:asusmodel:asmb8-ikvmscope:eqversion:1.14.51

Trust: 1.0

vendor:asusmodel:z10pe-d16 wsscope:eqversion:1.14.2

Trust: 1.0

vendor:asustek computermodel:asmb8-ikvmscope: - version: -

Trust: 0.8

vendor:asustek computermodel:z10pr-d16scope: - version: -

Trust: 0.8

vendor:asustek computermodel:z10pe-d16 wsscope: - version: -

Trust: 0.8

vendor:asusmodel:bmcscope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2021-36013 // JVNDB: JVNDB-2021-005354 // NVD: CVE-2021-28204

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-28204
value: HIGH

Trust: 1.0

twcert@cert.org.tw: CVE-2021-28204
value: HIGH

Trust: 1.0

NVD: CVE-2021-28204
value: HIGH

Trust: 0.8

CNVD: CNVD-2021-36013
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202104-313
value: HIGH

Trust: 0.6

VULMON: CVE-2021-28204
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-28204
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2021-36013
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2021-28204
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 5.9
version: 3.1

Trust: 2.0

OTHER: JVNDB-2021-005354
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2021-36013 // VULMON: CVE-2021-28204 // JVNDB: JVNDB-2021-005354 // CNNVD: CNNVD-202104-313 // NVD: CVE-2021-28204 // NVD: CVE-2021-28204

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.0

problemtype:OS Command injection (CWE-78) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-005354 // NVD: CVE-2021-28204

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202104-313

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202104-313

PATCH

title:ASUS Product Security Advisory ASUSurl:https://www.asus.com/content/ASUS-Product-Security-Advisory/

Trust: 0.8

title:Patch for ASUS BMC Firmware operating system command injection vulnerability (CNVD-2021-36013)url:https://www.cnvd.org.cn/patchInfo/show/266231

Trust: 0.6

title:ASUS BMC Firmware Fixing measures for security feature vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=147161

Trust: 0.6

sources: CNVD: CNVD-2021-36013 // JVNDB: JVNDB-2021-005354 // CNNVD: CNNVD-202104-313

EXTERNAL IDS

db:NVDid:CVE-2021-28204

Trust: 3.9

db:JVNDBid:JVNDB-2021-005354

Trust: 0.8

db:CNVDid:CNVD-2021-36013

Trust: 0.6

db:CNNVDid:CNNVD-202104-313

Trust: 0.6

db:VULMONid:CVE-2021-28204

Trust: 0.1

sources: CNVD: CNVD-2021-36013 // VULMON: CVE-2021-28204 // JVNDB: JVNDB-2021-005354 // CNNVD: CNNVD-202104-313 // NVD: CVE-2021-28204

REFERENCES

url:https://www.twcert.org.tw/tw/cp-132-4574-b61a6-1.html

Trust: 2.5

url:https://www.asus.com/tw/support/callus/

Trust: 2.3

url:https://www.asus.com/content/asus-product-security-advisory/

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-28204

Trust: 0.8

url:https://cwe.mitre.org/data/definitions/78.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: CNVD: CNVD-2021-36013 // VULMON: CVE-2021-28204 // JVNDB: JVNDB-2021-005354 // CNNVD: CNNVD-202104-313 // NVD: CVE-2021-28204

SOURCES

db:CNVDid:CNVD-2021-36013
db:VULMONid:CVE-2021-28204
db:JVNDBid:JVNDB-2021-005354
db:CNNVDid:CNNVD-202104-313
db:NVDid:CVE-2021-28204

LAST UPDATE DATE

2024-08-14T14:18:31.568000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2021-36013date:2021-05-21T00:00:00
db:VULMONid:CVE-2021-28204date:2021-04-14T00:00:00
db:JVNDBid:JVNDB-2021-005354date:2021-12-13T08:21:00
db:CNNVDid:CNNVD-202104-313date:2021-04-15T00:00:00
db:NVDid:CVE-2021-28204date:2021-04-14T12:29:00.403

SOURCES RELEASE DATE

db:CNVDid:CNVD-2021-36013date:2021-05-20T00:00:00
db:VULMONid:CVE-2021-28204date:2021-04-06T00:00:00
db:JVNDBid:JVNDB-2021-005354date:2021-12-13T00:00:00
db:CNNVDid:CNNVD-202104-313date:2021-04-06T00:00:00
db:NVDid:CVE-2021-28204date:2021-04-06T05:15:17.050