Details of VAR-202111-1276

ID

VAR-202111-1276

CVE

CVE-2021-37102

TITLE

FusionCompute Command injection vulnerabilities in the product

Trust: 0.8

sources: JVNDB: JVNDB-2021-015460

DESCRIPTION

There is a command injection vulnerability in CMA service module of FusionCompute product when processing the default certificate file. The software constructs part of a command using external special input from users, but the software does not sufficiently validate the user input. Successful exploit could allow the attacker to inject certain commands to the system. Affected product versions include: FusionCompute 6.0.0, 6.3.0, 6.3.1, 6.5.0, 6.5.1, 8.0.0. (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2021-37102 // JVNDB: JVNDB-2021-015460 // VULHUB: VHN-398939

AFFECTED PRODUCTS

vendor:	huawei	model:	fusioncompute	scope:	eq	version:	8.0.0	Trust: 1.0
vendor:	huawei	model:	fusioncompute	scope:	eq	version:	6.5.1	Trust: 1.0
vendor:	huawei	model:	fusioncompute	scope:	eq	version:	6.3.1	Trust: 1.0
vendor:	huawei	model:	fusioncompute	scope:	eq	version:	6.0.0	Trust: 1.0
vendor:	huawei	model:	fusioncompute	scope:	eq	version:	6.3.0	Trust: 1.0
vendor:	huawei	model:	fusioncompute	scope:	eq	version:	6.5.0	Trust: 1.0
vendor:	huawei	model:	fusioncompute	scope:	eq	version:	fusioncompute firmware 8.0.0	Trust: 0.8
vendor:	huawei	model:	fusioncompute	scope:	eq	version:	-	Trust: 0.8
vendor:	huawei	model:	fusioncompute	scope:	eq	version:	fusioncompute firmware 6.3.1	Trust: 0.8
vendor:	huawei	model:	fusioncompute	scope:	eq	version:	fusioncompute firmware 6.5.1	Trust: 0.8
vendor:	huawei	model:	fusioncompute	scope:	eq	version:	fusioncompute firmware 6.0.0	Trust: 0.8
vendor:	huawei	model:	fusioncompute	scope:	eq	version:	fusioncompute firmware 6.5.0	Trust: 0.8
vendor:	huawei	model:	fusioncompute	scope:	eq	version:	fusioncompute firmware 6.3.0	Trust: 0.8

sources: JVNDB: JVNDB-2021-015460 // NVD: CVE-2021-37102

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-37102
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-37102
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202110-595
value:	HIGH
Trust: 0.6
VULHUB:	VHN-398939
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-37102
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-398939
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-37102
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2021-37102
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-398939 // JVNDB: JVNDB-2021-015460 // CNNVD: CNNVD-202110-595 // NVD: CVE-2021-37102

PROBLEMTYPE DATA

problemtype:	CWE-77	Trust: 1.1
problemtype:	Command injection (CWE-77) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-398939 // JVNDB: JVNDB-2021-015460 // NVD: CVE-2021-37102

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202110-595

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-202110-595

PATCH

title:	huawei-sa-20210922-01-cmd	url:	https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210922-01-cmd-en	Trust: 0.8
title:	Huawei FusionCompute Fixes for command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=166052	Trust: 0.6

sources: JVNDB: JVNDB-2021-015460 // CNNVD: CNNVD-202110-595

EXTERNAL IDS

db:	NVD	id:	CVE-2021-37102	Trust: 3.3
db:	JVNDB	id:	JVNDB-2021-015460	Trust: 0.8
db:	CS-HELP	id:	SB2021101104	Trust: 0.6
db:	CNNVD	id:	CNNVD-202110-595	Trust: 0.6
db:	VULHUB	id:	VHN-398939	Trust: 0.1

sources: VULHUB: VHN-398939 // JVNDB: JVNDB-2021-015460 // CNNVD: CNNVD-202110-595 // NVD: CVE-2021-37102

REFERENCES

url:	https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210922-01-cmd-en	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-37102	Trust: 1.4
url:	https://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20210922-01-cmd-cn	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021101104	Trust: 0.6

sources: VULHUB: VHN-398939 // JVNDB: JVNDB-2021-015460 // CNNVD: CNNVD-202110-595 // NVD: CVE-2021-37102

CREDITS

The vulnerability was discovered by an external researcher

Trust: 0.6

sources: CNNVD: CNNVD-202110-595

SOURCES

db:	VULHUB	id:	VHN-398939
db:	JVNDB	id:	JVNDB-2021-015460
db:	CNNVD	id:	CNNVD-202110-595
db:	NVD	id:	CVE-2021-37102

LAST UPDATE DATE

2024-08-14T13:43:09.803000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-398939	date:	2021-11-26T00:00:00
db:	JVNDB	id:	JVNDB-2021-015460	date:	2022-11-21T08:49:00
db:	CNNVD	id:	CNNVD-202110-595	date:	2021-11-30T00:00:00
db:	NVD	id:	CVE-2021-37102	date:	2021-11-26T15:56:35.777

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-398939	date:	2021-11-23T00:00:00
db:	JVNDB	id:	JVNDB-2021-015460	date:	2022-11-21T00:00:00
db:	CNNVD	id:	CNNVD-202110-595	date:	2021-10-11T00:00:00
db:	NVD	id:	CVE-2021-37102	date:	2021-11-23T16:15:09.980