ID

VAR-202111-0617


CVE

CVE-2021-3840


TITLE

Antilles  Uncontrolled Search Path Element Vulnerability in Open Source Software

Trust: 0.8

sources: JVNDB: JVNDB-2021-015128

DESCRIPTION

A dependency confusion vulnerability was reported in the Antilles open-source software prior to version 1.0.1 that could allow for remote code execution during installation due to a package listed in requirements.txt not existing in the public package index (PyPi). MITRE classifies this weakness as an Uncontrolled Search Path Element (CWE-427) in which a private package dependency may be replaced by an unauthorized package of the same name published to a well-known public repository such as PyPi. The configuration has been updated to only install components built by Antilles, removing all other public package indexes. Additionally, the antilles-tools dependency has been published to PyPi. Antilles An uncontrolled search path element vulnerability exists in open source software.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2021-3840 // JVNDB: JVNDB-2021-015128 // VULHUB: VHN-400035

AFFECTED PRODUCTS

vendor:lenovomodel:antillesscope:ltversion:1.0.1

Trust: 1.0

vendor:lenovomodel:antillesscope:eqversion:1.0.1

Trust: 0.8

vendor:lenovomodel:antillesscope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-015128 // NVD: CVE-2021-3840

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-3840
value: HIGH

Trust: 1.0

psirt@lenovo.com: CVE-2021-3840
value: HIGH

Trust: 1.0

NVD: CVE-2021-3840
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202111-1181
value: HIGH

Trust: 0.6

VULHUB: VHN-400035
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-3840
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-400035
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-3840
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 2.0

OTHER: JVNDB-2021-015128
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-400035 // JVNDB: JVNDB-2021-015128 // CNNVD: CNNVD-202111-1181 // NVD: CVE-2021-3840 // NVD: CVE-2021-3840

PROBLEMTYPE DATA

problemtype:CWE-427

Trust: 1.1

problemtype:Uncontrolled search path elements (CWE-427) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-400035 // JVNDB: JVNDB-2021-015128 // NVD: CVE-2021-3840

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202111-1181

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202111-1181

PATCH

title:Antilles Dependency Confusion Vulnerabilityurl:https://github.com/lenovo/Antilles/security/advisories/GHSA-hgc3-hp6x-wpgx

Trust: 0.8

title:Antilles Fixes for code issue vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=170338

Trust: 0.6

sources: JVNDB: JVNDB-2021-015128 // CNNVD: CNNVD-202111-1181

EXTERNAL IDS

db:NVDid:CVE-2021-3840

Trust: 3.3

db:JVNDBid:JVNDB-2021-015128

Trust: 0.8

db:CNNVDid:CNNVD-202111-1181

Trust: 0.6

db:VULHUBid:VHN-400035

Trust: 0.1

sources: VULHUB: VHN-400035 // JVNDB: JVNDB-2021-015128 // CNNVD: CNNVD-202111-1181 // NVD: CVE-2021-3840

REFERENCES

url:https://github.com/lenovo/antilles/security/advisories/ghsa-hgc3-hp6x-wpgx

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-3840

Trust: 1.4

sources: VULHUB: VHN-400035 // JVNDB: JVNDB-2021-015128 // CNNVD: CNNVD-202111-1181 // NVD: CVE-2021-3840

SOURCES

db:VULHUBid:VHN-400035
db:JVNDBid:JVNDB-2021-015128
db:CNNVDid:CNNVD-202111-1181
db:NVDid:CVE-2021-3840

LAST UPDATE DATE

2024-11-23T22:47:37.449000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-400035date:2021-11-17T00:00:00
db:JVNDBid:JVNDB-2021-015128date:2022-11-10T02:28:00
db:CNNVDid:CNNVD-202111-1181date:2021-11-23T00:00:00
db:NVDid:CVE-2021-3840date:2024-11-21T06:22:36.553

SOURCES RELEASE DATE

db:VULHUBid:VHN-400035date:2021-11-12T00:00:00
db:JVNDBid:JVNDB-2021-015128date:2022-11-10T00:00:00
db:CNNVDid:CNNVD-202111-1181date:2021-11-12T00:00:00
db:NVDid:CVE-2021-3840date:2021-11-12T22:15:08.527