Details of VAR-202109-1645

ID

VAR-202109-1645

CVE

CVE-2021-37106

TITLE

FusionCompute Command injection vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-012677

DESCRIPTION

There is a command injection vulnerability in CMA service module of FusionCompute 6.3.0, 6.3.1, 6.5.0 and 8.0.0 when processing the default certificate file. The software constructs part of a command using external special input from users, but the software does not sufficiently validate the user input. Successful exploit could allow the attacker to inject certain commands to the system. FusionCompute Contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Huawei FusionCompute is a computer virtualization engine developed by Huawei in China. The product provides Virtual Resource Manager (VRM) and Compute Node Agent (CNA), etc. This vulnerability stems from the lack of effective filtering of special characters

Trust: 2.34

sources: NVD: CVE-2021-37106 // JVNDB: JVNDB-2021-012677 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-397518 // VULMON: CVE-2021-37106

AFFECTED PRODUCTS

vendor:	huawei	model:	fusioncompute	scope:	eq	version:	6.3.1	Trust: 1.0
vendor:	huawei	model:	fusioncompute	scope:	eq	version:	8.0.0	Trust: 1.0
vendor:	huawei	model:	fusioncompute	scope:	eq	version:	6.3.0	Trust: 1.0
vendor:	huawei	model:	fusioncompute	scope:	eq	version:	6.5.0	Trust: 1.0
vendor:	huawei	model:	fusioncompute	scope:	eq	version:	-	Trust: 0.8
vendor:	huawei	model:	fusioncompute	scope:	eq	version:	fusioncompute firmware 6.3.1	Trust: 0.8
vendor:	huawei	model:	fusioncompute	scope:	eq	version:	fusioncompute firmware 6.3.0	Trust: 0.8
vendor:	huawei	model:	fusioncompute	scope:	eq	version:	fusioncompute firmware 6.5.0	Trust: 0.8
vendor:	huawei	model:	fusioncompute	scope:	eq	version:	fusioncompute firmware 8.0.0	Trust: 0.8

sources: JVNDB: JVNDB-2021-012677 // NVD: CVE-2021-37106

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-37106
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-37106
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202109-1612
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-397518
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-37106
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-397518
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-37106
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2021-37106
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-397518 // JVNDB: JVNDB-2021-012677 // CNNVD: CNNVD-202109-1612 // CNNVD: CNNVD-202104-975 // NVD: CVE-2021-37106

PROBLEMTYPE DATA

problemtype:	CWE-77	Trust: 1.1
problemtype:	Command injection (CWE-77) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-397518 // JVNDB: JVNDB-2021-012677 // NVD: CVE-2021-37106

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202109-1612

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-202109-1612

PATCH

title:	huawei-sa-20210922-01-commandinjection	url:	https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210922-01-commandinjection-en	Trust: 0.8
title:	Huawei FusionCompute Fixes for operating system command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=164744	Trust: 0.6

sources: JVNDB: JVNDB-2021-012677 // CNNVD: CNNVD-202109-1612

EXTERNAL IDS

db:	NVD	id:	CVE-2021-37106	Trust: 3.4
db:	JVNDB	id:	JVNDB-2021-012677	Trust: 0.8
db:	CNNVD	id:	CNNVD-202109-1612	Trust: 0.7
db:	CS-HELP	id:	SB2021092302	Trust: 0.6
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	VULHUB	id:	VHN-397518	Trust: 0.1
db:	VULMON	id:	CVE-2021-37106	Trust: 0.1

sources: VULHUB: VHN-397518 // VULMON: CVE-2021-37106 // JVNDB: JVNDB-2021-012677 // CNNVD: CNNVD-202109-1612 // CNNVD: CNNVD-202104-975 // NVD: CVE-2021-37106

REFERENCES

url:	https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210922-01-commandinjection-en	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-37106	Trust: 1.4
url:	https://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20210922-01-commandinjection-cn	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021092302	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-397518 // VULMON: CVE-2021-37106 // JVNDB: JVNDB-2021-012677 // CNNVD: CNNVD-202109-1612 // CNNVD: CNNVD-202104-975 // NVD: CVE-2021-37106

CREDITS

The vulnerability was discovered by Huawei's internal testing

Trust: 0.6

sources: CNNVD: CNNVD-202109-1612

SOURCES

db:	VULHUB	id:	VHN-397518
db:	VULMON	id:	CVE-2021-37106
db:	JVNDB	id:	JVNDB-2021-012677
db:	CNNVD	id:	CNNVD-202109-1612
db:	CNNVD	id:	CNNVD-202104-975
db:	NVD	id:	CVE-2021-37106

LAST UPDATE DATE

2024-08-14T13:06:59.892000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-397518	date:	2022-05-03T00:00:00
db:	VULMON	id:	CVE-2021-37106	date:	2021-09-28T00:00:00
db:	JVNDB	id:	JVNDB-2021-012677	date:	2022-09-05T07:22:00
db:	CNNVD	id:	CNNVD-202109-1612	date:	2022-05-06T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	NVD	id:	CVE-2021-37106	date:	2022-05-03T16:04:40.443

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-397518	date:	2021-09-28T00:00:00
db:	VULMON	id:	CVE-2021-37106	date:	2021-09-28T00:00:00
db:	JVNDB	id:	JVNDB-2021-012677	date:	2022-09-05T00:00:00
db:	CNNVD	id:	CNNVD-202109-1612	date:	2021-09-22T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	NVD	id:	CVE-2021-37106	date:	2021-09-28T15:15:07.503