Details of VAR-202110-1355

ID

VAR-202110-1355

CVE

CVE-2021-37131

TITLE

plural Huawei In the product CSV Vulnerability in neutralizing math elements in files

Trust: 0.8

sources: JVNDB: JVNDB-2021-014239

DESCRIPTION

There is a CSV injection vulnerability in ManageOne, iManager NetEco and iManager NetEco 6000. An attacker with high privilege may exploit this vulnerability through some operations to inject the CSV files. Due to insufficient input validation of some parameters, the attacker can exploit this vulnerability to inject CSV files to the target device. ManageOne , iManager NetEco , iManager NetEco 6000 for, CSV A vulnerability exists regarding the neutralization of formula elements in files.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2021-37131 // JVNDB: JVNDB-2021-014239 // VULHUB: VHN-398967

AFFECTED PRODUCTS

vendor:	huawei	model:	imanager neteco	scope:	eq	version:	v600r010c00spc210	Trust: 1.0
vendor:	huawei	model:	imanager neteco	scope:	eq	version:	v600r010c00spc110	Trust: 1.0
vendor:	huawei	model:	imanager neteco 6000	scope:	eq	version:	v600r009c00spc221	Trust: 1.0
vendor:	huawei	model:	manageone	scope:	eq	version:	6.5.1	Trust: 1.0
vendor:	huawei	model:	manageone	scope:	eq	version:	8.0.0	Trust: 1.0
vendor:	huawei	model:	imanager neteco 6000	scope:	eq	version:	v600r009c00spc200	Trust: 1.0
vendor:	huawei	model:	imanager neteco	scope:	eq	version:	v600r010c00cp2001	Trust: 1.0
vendor:	huawei	model:	imanager neteco	scope:	eq	version:	v600r010c00cp3001	Trust: 1.0
vendor:	huawei	model:	imanager neteco	scope:	eq	version:	v600r010c00cp2002	Trust: 1.0
vendor:	huawei	model:	imanager neteco	scope:	eq	version:	v600r010c00spc200	Trust: 1.0
vendor:	huawei	model:	imanager neteco 6000	scope:	eq	version:	v600r009c00spc100	Trust: 1.0
vendor:	huawei	model:	imanager neteco	scope:	eq	version:	v600r010c00cp3002	Trust: 1.0
vendor:	huawei	model:	imanager neteco	scope:	eq	version:	v600r010c00spc300	Trust: 1.0
vendor:	huawei	model:	imanager neteco	scope:	eq	version:	v600r010c00cp3102	Trust: 1.0
vendor:	huawei	model:	imanager neteco 6000	scope:	eq	version:	v600r009c00spc220	Trust: 1.0
vendor:	huawei	model:	imanager neteco 6000	scope:	eq	version:	v600r009c00spc232	Trust: 1.0
vendor:	huawei	model:	imanager neteco	scope:	eq	version:	v600r010c00spc100	Trust: 1.0
vendor:	huawei	model:	imanager neteco 6000	scope:	eq	version:	v600r009c00spc120	Trust: 1.0
vendor:	huawei	model:	imanager neteco 6000	scope:	eq	version:	v600r009c00spc201	Trust: 1.0
vendor:	huawei	model:	manageone	scope:	eq	version:	8.0.1	Trust: 1.0
vendor:	huawei	model:	imanager neteco 6000	scope:	eq	version:	v600r009c00spc190	Trust: 1.0
vendor:	huawei	model:	imanager neteco	scope:	eq	version:	v600r010c00cp3101	Trust: 1.0
vendor:	huawei	model:	manageone	scope:	eq	version:	6.5.1.1	Trust: 1.0
vendor:	huawei	model:	imanager neteco	scope:	eq	version:	v600r010c00spc310	Trust: 1.0
vendor:	huawei	model:	imanager neteco 6000	scope:	eq	version:	v600r009c00spc210	Trust: 1.0
vendor:	huawei	model:	imanager neteco 6000	scope:	eq	version:	v600r009c00cp2201	Trust: 1.0
vendor:	huawei	model:	imanager neteco 6000	scope:	eq	version:	v600r009c00cp2301	Trust: 1.0
vendor:	huawei	model:	imanager neteco 6000	scope:	eq	version:	v600r009c00spc202	Trust: 1.0
vendor:	huawei	model:	imanager neteco 6000	scope:	eq	version:	v600r009c00spc230	Trust: 1.0
vendor:	huawei	model:	imanager neteco 6000	scope:	eq	version:	v600r009c00spc110	Trust: 1.0
vendor:	huawei	model:	imanager neteco	scope:	eq	version:	v600r010c00spc120	Trust: 1.0
vendor:	huawei	model:	imanager neteco	scope:	-	version:	-	Trust: 0.8
vendor:	huawei	model:	manageone	scope:	-	version:	-	Trust: 0.8
vendor:	huawei	model:	imanager neteco 6000	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-014239 // NVD: CVE-2021-37131

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-37131
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-37131
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202110-1521
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-398967
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-37131
severity:	MEDIUM
baseScore:	6.0
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.8
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-398967
severity:	MEDIUM
baseScore:	6.0
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.8
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-37131
baseSeverity:	MEDIUM
baseScore:	6.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2021-37131
baseSeverity:	MEDIUM
baseScore:	6.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-398967 // JVNDB: JVNDB-2021-014239 // CNNVD: CNNVD-202110-1521 // NVD: CVE-2021-37131

PROBLEMTYPE DATA

problemtype:	CWE-1236	Trust: 1.0
problemtype:	CSV Improper neutralization of math elements in the file (CWE-1236) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-014239 // NVD: CVE-2021-37131

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202110-1521

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-202110-1521

PATCH

title:	huawei-sa-20211020-01-csv	url:	https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20211020-01-csv-en	Trust: 0.8
title:	Huawei Imanager NetEco Fixes for code injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=167597	Trust: 0.6

sources: JVNDB: JVNDB-2021-014239 // CNNVD: CNNVD-202110-1521

EXTERNAL IDS

db:	NVD	id:	CVE-2021-37131	Trust: 3.3
db:	JVNDB	id:	JVNDB-2021-014239	Trust: 0.8
db:	CS-HELP	id:	SB2021102125	Trust: 0.6
db:	CNNVD	id:	CNNVD-202110-1521	Trust: 0.6
db:	VULHUB	id:	VHN-398967	Trust: 0.1

sources: VULHUB: VHN-398967 // JVNDB: JVNDB-2021-014239 // CNNVD: CNNVD-202110-1521 // NVD: CVE-2021-37131

REFERENCES

url:	https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20211020-01-csv-en	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-37131	Trust: 0.8
url:	https://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20211020-01-csv-cn	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021102125	Trust: 0.6

sources: VULHUB: VHN-398967 // JVNDB: JVNDB-2021-014239 // CNNVD: CNNVD-202110-1521 // NVD: CVE-2021-37131

CREDITS

The vulnerability was discovered by Huawei's internal testing

Trust: 0.6

sources: CNNVD: CNNVD-202110-1521

SOURCES

db:	VULHUB	id:	VHN-398967
db:	JVNDB	id:	JVNDB-2021-014239
db:	CNNVD	id:	CNNVD-202110-1521
db:	NVD	id:	CVE-2021-37131

LAST UPDATE DATE

2024-08-14T14:37:51.080000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-398967	date:	2021-10-29T00:00:00
db:	JVNDB	id:	JVNDB-2021-014239	date:	2022-10-11T07:44:00
db:	CNNVD	id:	CNNVD-202110-1521	date:	2021-11-02T00:00:00
db:	NVD	id:	CVE-2021-37131	date:	2021-10-29T01:26:41.697

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-398967	date:	2021-10-27T00:00:00
db:	JVNDB	id:	JVNDB-2021-014239	date:	2022-10-11T00:00:00
db:	CNNVD	id:	CNNVD-202110-1521	date:	2021-10-21T00:00:00
db:	NVD	id:	CVE-2021-37131	date:	2021-10-27T01:15:07.863