Details of VAR-202111-0835

ID

VAR-202111-0835

CVE

CVE-2021-43495

TITLE

AlquistManager Past traversal vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-015156

DESCRIPTION

AlquistManager branch as of commit 280d99f43b11378212652e75f6f3159cde9c1d36 is affected by a directory traversal vulnerability in alquist/IO/input.py. This attack can cause the disclosure of critical secrets stored anywhere on the system and can significantly aid in getting remote code access. AlquistManager Exists in a past traversal vulnerability.Information may be obtained. Alquist is an advanced conversational Ai robot. For interesting and engaging conversations with humans on trending topics such as movies, sports, news, etc. There is a security vulnerability in Alquist Manager, which is caused by the lack of effective filtering and escaping of path data submitted by users in the alquist/IO/input.py file in the software, resulting in a directory traversal vulnerability. No detailed vulnerability details are currently available

Trust: 2.25

sources: NVD: CVE-2021-43495 // JVNDB: JVNDB-2021-015156 // CNVD: CNVD-2022-10717 // VULMON: CVE-2021-43495

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-10717

AFFECTED PRODUCTS

vendor:	alquistai	model:	alquist	scope:	eq	version:	2017-06-13	Trust: 1.6
vendor:	alquist ai	model:	alquist	scope:	-	version:	-	Trust: 0.8
vendor:	alquist ai	model:	alquist	scope:	eq	version:	-	Trust: 0.8

sources: CNVD: CNVD-2022-10717 // JVNDB: JVNDB-2021-015156 // NVD: CVE-2021-43495

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-43495
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-43495
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2022-10717
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202111-1486
value:	HIGH
Trust: 0.6
VULMON:	CVE-2021-43495
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-43495
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2022-10717
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-43495
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2021-43495
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-10717 // VULMON: CVE-2021-43495 // JVNDB: JVNDB-2021-015156 // CNNVD: CNNVD-202111-1486 // NVD: CVE-2021-43495

PROBLEMTYPE DATA

problemtype:	CWE-22	Trust: 1.0
problemtype:	Path traversal (CWE-22) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-015156 // NVD: CVE-2021-43495

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202111-1486

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-202111-1486

PATCH

title:	[Security]	url:	https://github.com/AlquistManager/alquist/issues/43	Trust: 0.8
title:	Kenzer Templates [5170] [DEPRECATED]	url:	https://github.com/ARPSyndicate/kenzer-templates	Trust: 0.1

sources: VULMON: CVE-2021-43495 // JVNDB: JVNDB-2021-015156

EXTERNAL IDS

db:	NVD	id:	CVE-2021-43495	Trust: 3.9
db:	JVNDB	id:	JVNDB-2021-015156	Trust: 0.8
db:	CNVD	id:	CNVD-2022-10717	Trust: 0.6
db:	CNNVD	id:	CNNVD-202111-1486	Trust: 0.6
db:	VULMON	id:	CVE-2021-43495	Trust: 0.1

sources: CNVD: CNVD-2022-10717 // VULMON: CVE-2021-43495 // JVNDB: JVNDB-2021-015156 // CNNVD: CNNVD-202111-1486 // NVD: CVE-2021-43495

REFERENCES

url:	https://github.com/alquistmanager/alquist/issues/43	Trust: 2.3
url:	https://nvd.nist.gov/vuln/detail/cve-2021-43495	Trust: 1.4
url:	https://cwe.mitre.org/data/definitions/22.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/arpsyndicate/kenzer-templates	Trust: 0.1

sources: CNVD: CNVD-2022-10717 // VULMON: CVE-2021-43495 // JVNDB: JVNDB-2021-015156 // CNNVD: CNNVD-202111-1486 // NVD: CVE-2021-43495

SOURCES

db:	CNVD	id:	CNVD-2022-10717
db:	VULMON	id:	CVE-2021-43495
db:	JVNDB	id:	JVNDB-2021-015156
db:	CNNVD	id:	CNNVD-202111-1486
db:	NVD	id:	CVE-2021-43495

LAST UPDATE DATE

2024-08-14T14:55:45.562000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-10717	date:	2022-02-16T00:00:00
db:	VULMON	id:	CVE-2021-43495	date:	2021-11-18T00:00:00
db:	JVNDB	id:	JVNDB-2021-015156	date:	2022-11-10T07:16:00
db:	CNNVD	id:	CNNVD-202111-1486	date:	2021-11-25T00:00:00
db:	NVD	id:	CVE-2021-43495	date:	2021-11-18T03:49:19.727

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-10717	date:	2022-02-16T00:00:00
db:	VULMON	id:	CVE-2021-43495	date:	2021-11-15T00:00:00
db:	JVNDB	id:	JVNDB-2021-015156	date:	2022-11-10T00:00:00
db:	CNNVD	id:	CNNVD-202111-1486	date:	2021-11-15T00:00:00
db:	NVD	id:	CVE-2021-43495	date:	2021-11-15T13:15:07.663