Details of VAR-202108-0413

ID

VAR-202108-0413

CVE

CVE-2021-22944

TITLE

Ubiquiti Networks UniFi Protect Access Control Error Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2022-15505 // CNNVD: CNNVD-202108-2801

DESCRIPTION

A vulnerability found in UniFi Protect application V1.18.1 and earlier allows a malicious actor with a view-only role and network access to gain the same privileges as the owner of the UniFi Protect application. This vulnerability is fixed in UniFi Protect application V1.19.0 and later. UniFi Protect An unspecified vulnerability exists in the application.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Ubiquiti Networks UniFi Protect is a network video recorder from Ubiquiti Networks. The vulnerability stems from the product not adding effective permission controls to visitors who only have view access and network access

Trust: 2.25

sources: NVD: CVE-2021-22944 // JVNDB: JVNDB-2021-011246 // CNVD: CNVD-2022-15505 // VULMON: CVE-2021-22944

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-15505

AFFECTED PRODUCTS

vendor:	ui	model:	unifi protect	scope:	lt	version:	1.19.0	Trust: 1.0
vendor:	ui	model:	unifi protect	scope:	lte	version:	1.18.1 and earlier	Trust: 0.8
vendor:	ui	model:	unifi protect	scope:	eq	version:	-	Trust: 0.8
vendor:	ubiquiti	model:	networks unifi protect application	scope:	lte	version:	<=1.18.1	Trust: 0.6

sources: CNVD: CNVD-2022-15505 // JVNDB: JVNDB-2021-011246 // NVD: CVE-2021-22944

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-22944
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-22944
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2022-15505
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202108-2801
value:	HIGH
Trust: 0.6
VULMON:	CVE-2021-22944
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-22944
severity:	HIGH
baseScore:	7.7
vectorString:	AV:A/AC:L/AU:S/C:C/I:C/A:C
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	5.1
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2022-15505
severity:	HIGH
baseScore:	7.7
vectorString:	AV:A/AC:L/AU:S/C:C/I:C/A:C
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	5.1
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-22944
baseSeverity:	HIGH
baseScore:	8.0
vectorString:	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.1
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2021-22944
baseSeverity:	HIGH
baseScore:	8.0
vectorString:	CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-15505 // VULMON: CVE-2021-22944 // JVNDB: JVNDB-2021-011246 // CNNVD: CNNVD-202108-2801 // NVD: CVE-2021-22944

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	Lack of information (CWE-noinfo) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-011246 // NVD: CVE-2021-22944

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202108-2801

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202108-2801

PATCH

title:	Security Advisory Bulletin 019	url:	https://community.ui.com/releases/Security-Advisory-Bulletin-019-019/90a00abe-d6b6-43c6-92d4-0a0342f1506f	Trust: 0.8
title:	Patch for Ubiquiti Networks UniFi Protect Access Control Error Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/322551	Trust: 0.6
title:	Ubiquiti Networks UniFi Protect Fixes for access control error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=162089	Trust: 0.6

sources: CNVD: CNVD-2022-15505 // JVNDB: JVNDB-2021-011246 // CNNVD: CNNVD-202108-2801

EXTERNAL IDS

db:	NVD	id:	CVE-2021-22944	Trust: 3.9
db:	JVNDB	id:	JVNDB-2021-011246	Trust: 0.8
db:	CNVD	id:	CNVD-2022-15505	Trust: 0.6
db:	CNNVD	id:	CNNVD-202108-2801	Trust: 0.6
db:	VULMON	id:	CVE-2021-22944	Trust: 0.1

sources: CNVD: CNVD-2022-15505 // VULMON: CVE-2021-22944 // JVNDB: JVNDB-2021-011246 // CNNVD: CNNVD-202108-2801 // NVD: CVE-2021-22944

REFERENCES

url:	https://community.ui.com/releases/security-advisory-bulletin-019-019/90a00abe-d6b6-43c6-92d4-0a0342f1506f	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-22944	Trust: 1.4
url:	https://cwe.mitre.org/data/definitions/269.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2022-15505 // VULMON: CVE-2021-22944 // JVNDB: JVNDB-2021-011246 // CNNVD: CNNVD-202108-2801 // NVD: CVE-2021-22944

SOURCES

db:	CNVD	id:	CNVD-2022-15505
db:	VULMON	id:	CVE-2021-22944
db:	JVNDB	id:	JVNDB-2021-011246
db:	CNNVD	id:	CNNVD-202108-2801
db:	NVD	id:	CVE-2021-22944

LAST UPDATE DATE

2024-08-14T14:55:53.986000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-15505	date:	2022-03-01T00:00:00
db:	VULMON	id:	CVE-2021-22944	date:	2021-09-09T00:00:00
db:	JVNDB	id:	JVNDB-2021-011246	date:	2022-07-25T07:41:00
db:	CNNVD	id:	CNNVD-202108-2801	date:	2022-07-14T00:00:00
db:	NVD	id:	CVE-2021-22944	date:	2022-07-12T17:42:04.277

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-15505	date:	2022-03-01T00:00:00
db:	VULMON	id:	CVE-2021-22944	date:	2021-08-31T00:00:00
db:	JVNDB	id:	JVNDB-2021-011246	date:	2022-07-25T00:00:00
db:	CNNVD	id:	CNNVD-202108-2801	date:	2021-08-31T00:00:00
db:	NVD	id:	CVE-2021-22944	date:	2021-08-31T17:15:07.817