CVE-2021-25146 - OpenCVE

A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.5.x: 6.5.4.17 and below; Aruba Instant 8.3.x: 8.3.0.13 and below; Aruba Instant 8.5.x: 8.5.0.10 and below; Aruba Instant 8.6.x: 8.6.0.5 and below; Aruba Instant 8.7.x: 8.7.0.0 and below. Aruba has released patches for Aruba Instant that address this security vulnerability.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:S/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Siemens	Scalance W1750d Firmware Scalance W1750d
Arubanetworks	Instant

Configuration 1 [-]

OR	cpe:2.3:o:arubanetworks:instant::::::::
	cpe:2.3:o:arubanetworks:instant::::::::
	cpe:2.3:o:arubanetworks:instant::::::::
	cpe:2.3:o:arubanetworks:instant::::::::
	cpe:2.3:o:arubanetworks:instant::::::::

Configuration 2 [-]

AND

cpe:2.3:o:siemens:scalance_w1750d_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:scalance_w1750d:-:*:*:*:*:*:*:*

References

Link	Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-723417.pdf	Patch Third Party Advisory
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-007.txt	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: hpe

Published: 2021-03-30T00:09:16

Updated: 2021-05-11T12:06:45

Reserved: 2021-01-14T00:00:00

Link: CVE-2021-25146

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-03-30T01:15:12.737

Modified: 2022-06-28T14:11:45.273

Link: CVE-2021-25146

JSON object: View

Redhat Information

No data.

CWE

CWE-78

{"containers": {"cna": {"affected": [{"product": "Aruba Instant Access Points", "vendor": "n/a", "versions": [{"status": "affected", "version": "Aruba Instant 6.5.x: 6.5.4.17 and below"}, {"status": "affected", "version": "Aruba Instant 8.3.x: 8.3.0.13 and below"}, {"status": "affected", "version": "Aruba Instant 8.5.x: 8.5.0.10 and below"}, {"status": "affected", "version": "Aruba Instant 8.6.x: 8.6.0.5 and below"}, {"status": "affected", "version": "Aruba Instant 8.7.x: 8.7.0.0 and below"}]}], "descriptions": [{"lang": "en", "value": "A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.5.x: 6.5.4.17 and below; Aruba Instant 8.3.x: 8.3.0.13 and below; Aruba Instant 8.5.x: 8.5.0.10 and below; Aruba Instant 8.6.x: 8.6.0.5 and below; Aruba Instant 8.7.x: 8.7.0.0 and below. Aruba has released patches for Aruba Instant that address this security vulnerability."}], "problemTypes": [{"descriptions": [{"description": "remote execution of arbitrary commands", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-05-11T12:06:45", "orgId": "eb103674-0d28-4225-80f8-39fb86215de0", "shortName": "hpe"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-007.txt"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-723417.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-alert@hpe.com", "ID": "CVE-2021-25146", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Aruba Instant Access Points", "version": {"version_data": [{"version_value": "Aruba Instant 6.5.x: 6.5.4.17 and below"}, {"version_value": "Aruba Instant 8.3.x: 8.3.0.13 and below"}, {"version_value": "Aruba Instant 8.5.x: 8.5.0.10 and below"}, {"version_value": "Aruba Instant 8.6.x: 8.6.0.5 and below"}, {"version_value": "Aruba Instant 8.7.x: 8.7.0.0 and below"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.5.x: 6.5.4.17 and below; Aruba Instant 8.3.x: 8.3.0.13 and below; Aruba Instant 8.5.x: 8.5.0.10 and below; Aruba Instant 8.6.x: 8.6.0.5 and below; Aruba Instant 8.7.x: 8.7.0.0 and below. Aruba has released patches for Aruba Instant that address this security vulnerability."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "remote execution of arbitrary commands"}]}]}, "references": {"reference_data": [{"name": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-007.txt", "refsource": "MISC", "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-007.txt"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-723417.pdf", "refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-723417.pdf"}]}}}}, "cveMetadata": {"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0", "assignerShortName": "hpe", "cveId": "CVE-2021-25146", "datePublished": "2021-03-30T00:09:16", "dateReserved": "2021-01-14T00:00:00", "dateUpdated": "2021-05-11T12:06:45", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:arubanetworks:instant:*:*:*:*:*:*:*:*", "matchCriteriaId": "240DF132-2037-44E6-B064-D0C482B8F2E9", "versionEndExcluding": "6.5.4.18", "versionStartIncluding": "6.5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:arubanetworks:instant:*:*:*:*:*:*:*:*", "matchCriteriaId": "28CAD6E6-4324-444F-9D12-B35D3D08AEDC", "versionEndExcluding": "8.3.0.14", "versionStartIncluding": "8.3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:arubanetworks:instant:*:*:*:*:*:*:*:*", "matchCriteriaId": "F054DF3E-94DE-4FAF-8BC4-E89176651310", "versionEndExcluding": "8.5.0.11", "versionStartIncluding": "8.5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:arubanetworks:instant:*:*:*:*:*:*:*:*", "matchCriteriaId": "CB92B04F-DD65-42BA-9931-FF86427FBC5A", "versionEndExcluding": "8.6.0.6", "versionStartIncluding": "8.6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:arubanetworks:instant:*:*:*:*:*:*:*:*", "matchCriteriaId": "F0E5DE06-241B-4A83-B0A8-0CEF0D5D825F", "versionEndExcluding": "8.7.1.0", "versionStartIncluding": "8.7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:siemens:scalance_w1750d_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "DDC134F8-5D6A-4D37-9BC7-CA0C772F8823", "versionEndExcluding": "8.7.1.3", "versionStartIncluding": "8.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:siemens:scalance_w1750d:-:*:*:*:*:*:*:*", "matchCriteriaId": "FBC30055-239F-4BB1-B2D1-E5E35F0D8911", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.5.x: 6.5.4.17 and below; Aruba Instant 8.3.x: 8.3.0.13 and below; Aruba Instant 8.5.x: 8.5.0.10 and below; Aruba Instant 8.6.x: 8.6.0.5 and below; Aruba Instant 8.7.x: 8.7.0.0 and below. Aruba has released patches for Aruba Instant that address this security vulnerability."}, {"lang": "es", "value": "Se detect\u00f3 una vulnerabilidad de ejecuci\u00f3n remota de comandos arbitrarios en algunos productos Aruba Instant Access Point (IAP) en versiones: Aruba Instant versiones 6.5.x: 6.5.4.17 y anteriores; Aruba Instant versiones 8.3.x: 8.3.0.13 y anteriores; Aruba Instant versiones 8.5.x: 8.5.0.10 y anteriores; Aruba Instant versiones 8.6.x: 8.6.0.5 y anteriores; Aruba Instant versiones 8.7.x: 8.7.0.0 y anteriores. Aruba ha lanzado parches para Aruba Instant que abordan esta vulnerabilidad de seguridad."}], "id": "CVE-2021-25146", "lastModified": "2022-06-28T14:11:45.273", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-30T01:15:12.737", "references": [{"source": "security-alert@hpe.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-723417.pdf"}, {"source": "security-alert@hpe.com", "tags": ["Vendor Advisory"], "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-007.txt"}], "sourceIdentifier": "security-alert@hpe.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}