Details of VAR-202110-1632

ID

VAR-202110-1632

CVE

CVE-2021-37732

TITLE

Aruba Instant command injection vulnerability (CNVD-2021-89450)

Trust: 0.6

sources: CNVD: CNVD-2021-89450

DESCRIPTION

A remote arbitrary command execution vulnerability was discovered in HPE Aruba Instant (IAP) version(s): Aruba Instant 6.4.x.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x.x: 6.5.4.18 and below; Aruba Instant 8.5.x.x: 8.5.0.11 and below; Aruba Instant 8.6.x.x: 8.6.0.6 and below; Aruba Instant 8.7.x.x: 8.7.1.0 and below. Aruba has released patches for Aruba Instant (IAP) that address this security vulnerability. Provides the only Wi-Fi solution that is easy to set up. Aruba Instant has a command injection vulnerability, which is caused by incorrect input validation in the web interface. Attackers use the vulnerability to send elaborate HTTP requests to the application and execute arbitrary OS commands on the target system

Trust: 1.53

sources: NVD: CVE-2021-37732 // CNVD: CNVD-2021-89450 // VULMON: CVE-2021-37732

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-89450

AFFECTED PRODUCTS

vendor:	arubanetworks	model:	aruba instant	scope:	lt	version:	8.5.0.12	Trust: 1.0
vendor:	arubanetworks	model:	aruba instant	scope:	lt	version:	8.7.1.1	Trust: 1.0
vendor:	arubanetworks	model:	aruba instant	scope:	lt	version:	6.4.4.8-4.2.4.18	Trust: 1.0
vendor:	arubanetworks	model:	aruba instant	scope:	gte	version:	8.6.0.0	Trust: 1.0
vendor:	arubanetworks	model:	aruba instant	scope:	gte	version:	6.4.0.2-4.1.0.0	Trust: 1.0
vendor:	arubanetworks	model:	aruba instant	scope:	lt	version:	6.5.4.19	Trust: 1.0
vendor:	arubanetworks	model:	aruba instant	scope:	gte	version:	8.5.0.0	Trust: 1.0
vendor:	arubanetworks	model:	aruba instant	scope:	gte	version:	6.5.4.0	Trust: 1.0
vendor:	arubanetworks	model:	aruba instant	scope:	gte	version:	8.7.0.0	Trust: 1.0
vendor:	siemens	model:	scalance w1750d	scope:	lt	version:	8.7.1.3	Trust: 1.0
vendor:	arubanetworks	model:	aruba instant	scope:	lt	version:	8.6.0.7	Trust: 1.0
vendor:	aruba	model:	instant	scope:	eq	version:	6.5.4.1	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	6.5.4.2	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	6.5.4.3	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	6.5.4.4	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	6.5.4.5	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	6.5.4.6	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	6.5.4.7	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	6.5.4.8	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	6.5.4.9	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	6.5.4.10	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	6.5.4.11	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	6.5.4.12	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	6.5.4.13	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	6.5.4.14	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	6.5.4.15	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	6.5.4.16	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	6.5.4.17	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	6.5.4.18	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	8.5.0.0	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	8.5.0.1	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	8.5.0.2	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	8.5.0.3	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	8.5.0.4	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	8.5.0.5	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	8.5.0.6	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	8.5.0.7	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	8.5.0.8	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	8.5.0.9	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	8.5.0.10	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	8.5.0.11	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	8.6.0.0	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	8.6.0.1	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	8.6.0.2	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	8.6.0.3	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	8.6.0.4	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	8.6.0.5	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	8.6.0.6	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	8.7.0.0	Trust: 0.6
vendor:	aruba	model:	instant	scope:	eq	version:	8.7.1.0	Trust: 0.6
vendor:	aruba	model:	networks aruba instant	scope:	eq	version:	8.7.x.x	Trust: 0.6
vendor:	aruba	model:	networks aruba instant	scope:	eq	version:	6.4.x.x	Trust: 0.6
vendor:	aruba	model:	networks aruba instant	scope:	eq	version:	6.5.x.x	Trust: 0.6
vendor:	aruba	model:	networks aruba instant	scope:	eq	version:	8.6.x.x	Trust: 0.6

sources: CNVD: CNVD-2021-89450 // NVD: CVE-2021-37732

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-37732
value:	HIGH
Trust: 1.0
CNVD:	CNVD-2021-89450
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202110-412
value:	HIGH
Trust: 0.6
VULMON:	CVE-2021-37732
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-37732
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
CNVD:	CNVD-2021-89450
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-37732
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2021-89450 // VULMON: CVE-2021-37732 // CNNVD: CNNVD-202110-412 // NVD: CVE-2021-37732

PROBLEMTYPE DATA

problemtype:

CWE-78

Trust: 1.0

sources: NVD: CVE-2021-37732

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202110-412

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202110-412

PATCH

title:	Patch for Aruba Instant command injection vulnerability (CNVD-2021-89450)	url:	https://www.cnvd.org.cn/patchInfo/show/300081	Trust: 0.6
title:	Aruba Instant Fixes for operating system command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=166190	Trust: 0.6
title:	Siemens Security Advisories: Siemens Security Advisory	url:	https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=3a4aac694122a77f4f689c8a03f6ae75	Trust: 0.1

sources: CNVD: CNVD-2021-89450 // VULMON: CVE-2021-37732 // CNNVD: CNNVD-202110-412

EXTERNAL IDS

db:	NVD	id:	CVE-2021-37732	Trust: 2.3
db:	SIEMENS	id:	SSA-917476	Trust: 1.7
db:	ICS CERT	id:	ICSA-21-315-06	Trust: 0.7
db:	CNVD	id:	CNVD-2021-89450	Trust: 0.6
db:	CS-HELP	id:	SB2021111004	Trust: 0.6
db:	CS-HELP	id:	SB2021100720	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.3874	Trust: 0.6
db:	CNNVD	id:	CNNVD-202110-412	Trust: 0.6
db:	VULMON	id:	CVE-2021-37732	Trust: 0.1

sources: CNVD: CNVD-2021-89450 // VULMON: CVE-2021-37732 // CNNVD: CNNVD-202110-412 // NVD: CVE-2021-37732

REFERENCES

url:	https://www.arubanetworks.com/assets/alert/aruba-psa-2021-017.txt	Trust: 1.7
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-917476.pdf	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-37732	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021111004	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.3874	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-315-06	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021100720	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/78.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-06	Trust: 0.1

sources: CNVD: CNVD-2021-89450 // VULMON: CVE-2021-37732 // CNNVD: CNNVD-202110-412 // NVD: CVE-2021-37732

CREDITS

Siemens reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202110-412

SOURCES

db:	CNVD	id:	CNVD-2021-89450
db:	VULMON	id:	CVE-2021-37732
db:	CNNVD	id:	CNNVD-202110-412
db:	NVD	id:	CVE-2021-37732

LAST UPDATE DATE

2024-08-14T12:41:44.463000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-89450	date:	2021-11-20T00:00:00
db:	VULMON	id:	CVE-2021-37732	date:	2021-11-24T00:00:00
db:	CNNVD	id:	CNNVD-202110-412	date:	2021-11-15T00:00:00
db:	NVD	id:	CVE-2021-37732	date:	2021-11-24T21:37:33.660

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-89450	date:	2021-11-20T00:00:00
db:	VULMON	id:	CVE-2021-37732	date:	2021-10-12T00:00:00
db:	CNNVD	id:	CNNVD-202110-412	date:	2021-10-07T00:00:00
db:	NVD	id:	CVE-2021-37732	date:	2021-10-12T16:15:07.423