Details of VAR-202111-1838

ID

VAR-202111-1838

CVE

CVE-2021-36317

TITLE

Dell EMC Avamar Server Vulnerability regarding insufficient protection of authentication information in

Trust: 0.8

sources: JVNDB: JVNDB-2021-017060

DESCRIPTION

Dell EMC Avamar Server version 19.4 contains a plain-text password storage vulnerability in AvInstaller. A local attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. Dell EMC Avamar Server There are vulnerabilities in inadequate protection of credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202210-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Rust: Multiple Vulnerabilities Date: October 16, 2022 Bugs: #870166, #831638, #821157, #807052, #782367 ID: 202210-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Multiple vulnerabilities have been discovered in Rust, the worst of which could result in denial of service. Background ========= A systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-lang/rust < 1.63.0-r1 >= 1.63.0-r1 2 dev-lang/rust-bin < 1.64.0 >= 1.64.0 Description ========== Multiple vulnerabilities have been discovered in Rust. Please review the CVE identifiers referenced below for details. Impact ===== Please review the referenced CVE identifiers for details. Workaround ========= There is no known workaround at this time. Resolution ========= All Rust users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">\xdev-lang/rust-1.63.0-r1" All Rust binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">\xdev-lang/rust-bin-1.64.0" In addition, users using Portage 3.0.38 or later should ensure that packages with Rust binaries have no vulnerable code statically linked into their binaries by rebuilding the @rust-rebuild set: # emerge --ask --oneshot --verbose @rust-rebuild References ========= [ 1 ] CVE-2021-28875 https://nvd.nist.gov/vuln/detail/CVE-2021-28875 [ 2 ] CVE-2021-28876 https://nvd.nist.gov/vuln/detail/CVE-2021-28876 [ 3 ] CVE-2021-28877 https://nvd.nist.gov/vuln/detail/CVE-2021-28877 [ 4 ] CVE-2021-28878 https://nvd.nist.gov/vuln/detail/CVE-2021-28878 [ 5 ] CVE-2021-28879 https://nvd.nist.gov/vuln/detail/CVE-2021-28879 [ 6 ] CVE-2021-29922 https://nvd.nist.gov/vuln/detail/CVE-2021-29922 [ 7 ] CVE-2021-31162 https://nvd.nist.gov/vuln/detail/CVE-2021-31162 [ 8 ] CVE-2021-36317 https://nvd.nist.gov/vuln/detail/CVE-2021-36317 [ 9 ] CVE-2021-36318 https://nvd.nist.gov/vuln/detail/CVE-2021-36318 [ 10 ] CVE-2021-42574 https://nvd.nist.gov/vuln/detail/CVE-2021-42574 [ 11 ] CVE-2021-42694 https://nvd.nist.gov/vuln/detail/CVE-2021-42694 [ 12 ] CVE-2022-21658 https://nvd.nist.gov/vuln/detail/CVE-2022-21658 [ 13 ] CVE-2022-36113 https://nvd.nist.gov/vuln/detail/CVE-2022-36113 [ 14 ] CVE-2022-36114 https://nvd.nist.gov/vuln/detail/CVE-2022-36114 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202210-09 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ====== Copyright 2022 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

Trust: 1.89

sources: NVD: CVE-2021-36317 // JVNDB: JVNDB-2021-017060 // VULHUB: VHN-398201 // VULMON: CVE-2021-36317 // PACKETSTORM: 168756

AFFECTED PRODUCTS

vendor:	dell	model:	emc powerprotect data protection appliance	scope:	eq	version:	2.7	Trust: 1.0
vendor:	dell	model:	emc avamar server	scope:	eq	version:	19.4	Trust: 1.0
vendor:	デル	model:	dell emc powerprotectdata protection appliance	scope:	-	version:	-	Trust: 0.8
vendor:	デル	model:	dell emc avamar server	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-017060 // NVD: CVE-2021-36317

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-36317
value:	MEDIUM
Trust: 1.0
security_alert@emc.com:	CVE-2021-36317
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-36317
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202111-980
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-398201
value:	LOW
Trust: 0.1
VULMON:	CVE-2021-36317
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2021-36317
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-398201
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-36317
baseSeverity:	MEDIUM
baseScore:	6.7
vectorString:	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.8
impactScore:	5.9
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2021-017060
baseSeverity:	MEDIUM
baseScore:	6.7
vectorString:	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-398201 // VULMON: CVE-2021-36317 // JVNDB: JVNDB-2021-017060 // CNNVD: CNNVD-202111-980 // NVD: CVE-2021-36317 // NVD: CVE-2021-36317

PROBLEMTYPE DATA

problemtype:	CWE-256	Trust: 1.1
problemtype:	CWE-522	Trust: 1.1
problemtype:	Inadequate protection of credentials (CWE-522) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-398201 // JVNDB: JVNDB-2021-017060 // NVD: CVE-2021-36317

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202111-980

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202111-980

PATCH

title:

DSA-2021-204

url:

https://www.dell.com/support/kbdoc/000193369

Trust: 0.8

sources: JVNDB: JVNDB-2021-017060

EXTERNAL IDS

db:	NVD	id:	CVE-2021-36317	Trust: 3.5
db:	PACKETSTORM	id:	168756	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-017060	Trust: 0.8
db:	CNNVD	id:	CNNVD-202111-980	Trust: 0.6
db:	VULHUB	id:	VHN-398201	Trust: 0.1
db:	VULMON	id:	CVE-2021-36317	Trust: 0.1

sources: VULHUB: VHN-398201 // VULMON: CVE-2021-36317 // JVNDB: JVNDB-2021-017060 // PACKETSTORM: 168756 // CNNVD: CNNVD-202111-980 // NVD: CVE-2021-36317

REFERENCES

url:	https://security.gentoo.org/glsa/202210-09	Trust: 1.8
url:	https://www.dell.com/support/kbdoc/000193369	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-36317	Trust: 1.5
url:	https://packetstormsecurity.com/files/168756/gentoo-linux-security-advisory-202210-09.html	Trust: 0.6
url:	https://vigilance.fr/vulnerability/dell-emc-avamar-three-vulnerabilities-36846	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/256.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-21658	Trust: 0.1
url:	https://security.gentoo.org/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-29922	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-28877	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-28876	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-36318	Trust: 0.1
url:	https://bugs.gentoo.org.	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-36113	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-28878	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-28875	Trust: 0.1
url:	https://creativecommons.org/licenses/by-sa/2.5	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-28879	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-42574	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-42694	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-36114	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-31162	Trust: 0.1

sources: VULHUB: VHN-398201 // VULMON: CVE-2021-36317 // JVNDB: JVNDB-2021-017060 // PACKETSTORM: 168756 // CNNVD: CNNVD-202111-980 // NVD: CVE-2021-36317

CREDITS

Gentoo

Trust: 0.1

sources: PACKETSTORM: 168756

SOURCES

db:	VULHUB	id:	VHN-398201
db:	VULMON	id:	CVE-2021-36317
db:	JVNDB	id:	JVNDB-2021-017060
db:	PACKETSTORM	id:	168756
db:	CNNVD	id:	CNNVD-202111-980
db:	NVD	id:	CVE-2021-36317

LAST UPDATE DATE

2024-08-14T12:24:01.932000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-398201	date:	2022-11-07T00:00:00
db:	VULMON	id:	CVE-2021-36317	date:	2022-01-05T00:00:00
db:	JVNDB	id:	JVNDB-2021-017060	date:	2022-12-28T05:46:00
db:	CNNVD	id:	CNNVD-202111-980	date:	2022-11-08T00:00:00
db:	NVD	id:	CVE-2021-36317	date:	2022-11-07T18:59:28.947

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-398201	date:	2021-12-21T00:00:00
db:	VULMON	id:	CVE-2021-36317	date:	2021-12-21T00:00:00
db:	JVNDB	id:	JVNDB-2021-017060	date:	2022-12-28T00:00:00
db:	PACKETSTORM	id:	168756	date:	2022-10-17T15:13:47
db:	CNNVD	id:	CNNVD-202111-980	date:	2021-11-10T00:00:00
db:	NVD	id:	CVE-2021-36317	date:	2021-12-21T17:15:08.047