Details of VAR-202111-0617

ID

VAR-202111-0617

CVE

CVE-2021-3840

TITLE

Antilles Uncontrolled Search Path Element Vulnerability in Open Source Software

Trust: 0.8

sources: JVNDB: JVNDB-2021-015128

DESCRIPTION

A dependency confusion vulnerability was reported in the Antilles open-source software prior to version 1.0.1 that could allow for remote code execution during installation due to a package listed in requirements.txt not existing in the public package index (PyPi). MITRE classifies this weakness as an Uncontrolled Search Path Element (CWE-427) in which a private package dependency may be replaced by an unauthorized package of the same name published to a well-known public repository such as PyPi. The configuration has been updated to only install components built by Antilles, removing all other public package indexes. Additionally, the antilles-tools dependency has been published to PyPi. Antilles An uncontrolled search path element vulnerability exists in open source software.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2021-3840 // JVNDB: JVNDB-2021-015128 // VULHUB: VHN-400035

AFFECTED PRODUCTS

vendor:	lenovo	model:	antilles	scope:	lt	version:	1.0.1	Trust: 1.0
vendor:	lenovo	model:	antilles	scope:	eq	version:	1.0.1	Trust: 0.8
vendor:	lenovo	model:	antilles	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-015128 // NVD: CVE-2021-3840

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-3840
value:	HIGH
Trust: 1.0
psirt@lenovo.com:	CVE-2021-3840
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-3840
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202111-1181
value:	HIGH
Trust: 0.6
VULHUB:	VHN-400035
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-3840
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-400035
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-3840
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2021-015128
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-400035 // JVNDB: JVNDB-2021-015128 // CNNVD: CNNVD-202111-1181 // NVD: CVE-2021-3840 // NVD: CVE-2021-3840

PROBLEMTYPE DATA

problemtype:	CWE-427	Trust: 1.1
problemtype:	Uncontrolled search path elements (CWE-427) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-400035 // JVNDB: JVNDB-2021-015128 // NVD: CVE-2021-3840

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202111-1181

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202111-1181

PATCH

title:	Antilles Dependency Confusion Vulnerability	url:	https://github.com/lenovo/Antilles/security/advisories/GHSA-hgc3-hp6x-wpgx	Trust: 0.8
title:	Antilles Fixes for code issue vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=170338	Trust: 0.6

sources: JVNDB: JVNDB-2021-015128 // CNNVD: CNNVD-202111-1181

EXTERNAL IDS

db:	NVD	id:	CVE-2021-3840	Trust: 3.3
db:	JVNDB	id:	JVNDB-2021-015128	Trust: 0.8
db:	CNNVD	id:	CNNVD-202111-1181	Trust: 0.6
db:	VULHUB	id:	VHN-400035	Trust: 0.1

sources: VULHUB: VHN-400035 // JVNDB: JVNDB-2021-015128 // CNNVD: CNNVD-202111-1181 // NVD: CVE-2021-3840

REFERENCES

url:	https://github.com/lenovo/antilles/security/advisories/ghsa-hgc3-hp6x-wpgx	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-3840	Trust: 1.4

sources: VULHUB: VHN-400035 // JVNDB: JVNDB-2021-015128 // CNNVD: CNNVD-202111-1181 // NVD: CVE-2021-3840

SOURCES

db:	VULHUB	id:	VHN-400035
db:	JVNDB	id:	JVNDB-2021-015128
db:	CNNVD	id:	CNNVD-202111-1181
db:	NVD	id:	CVE-2021-3840

LAST UPDATE DATE

2024-08-14T14:44:13.984000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-400035	date:	2021-11-17T00:00:00
db:	JVNDB	id:	JVNDB-2021-015128	date:	2022-11-10T02:28:00
db:	CNNVD	id:	CNNVD-202111-1181	date:	2021-11-23T00:00:00
db:	NVD	id:	CVE-2021-3840	date:	2021-11-17T14:30:33.023

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-400035	date:	2021-11-12T00:00:00
db:	JVNDB	id:	JVNDB-2021-015128	date:	2022-11-10T00:00:00
db:	CNNVD	id:	CNNVD-202111-1181	date:	2021-11-12T00:00:00
db:	NVD	id:	CVE-2021-3840	date:	2021-11-12T22:15:08.527