CVE-2021-37105 - OpenCVE

There is an improper file upload control vulnerability in FusionCompute 6.5.0, 6.5.1 and 8.0.0. Due to the improper verification of file to be uploaded and does not strictly restrict the file access path, attackers may upload malicious files to the device, resulting in the service abnormal.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:M/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Huawei	Fusioncompute

Configuration 1 [-]

OR	cpe:2.3:a:huawei:fusioncompute:6.5.0:::::::*
	cpe:2.3:a:huawei:fusioncompute:6.5.1:::::::*
	cpe:2.3:a:huawei:fusioncompute:8.0.0:::::::*

References

Link	Resource
https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210922-01-upload-en	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: huawei

Published: 2021-09-28T14:03:53

Updated: 2021-09-28T14:03:53

Reserved: 2021-07-20T00:00:00

Link: CVE-2021-37105

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-09-28T15:15:07.457

Modified: 2021-10-06T19:10:19.910

Link: CVE-2021-37105

JSON object: View

Redhat Information

No data.

CWE

CWE-434

{"containers": {"cna": {"affected": [{"product": "FusionCompute", "vendor": "n/a", "versions": [{"status": "affected", "version": "6.5.0,6.5.1,8.0.0"}]}], "descriptions": [{"lang": "en", "value": "There is an improper file upload control vulnerability in FusionCompute 6.5.0, 6.5.1 and 8.0.0. Due to the improper verification of file to be uploaded and does not strictly restrict the file access path, attackers may upload malicious files to the device, resulting in the service abnormal."}], "problemTypes": [{"descriptions": [{"description": "Improper File Upload Control", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-09-28T14:03:53", "orgId": "25ac1063-e409-4190-8079-24548c77ea2e", "shortName": "huawei"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210922-01-upload-en"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@huawei.com", "ID": "CVE-2021-37105", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "FusionCompute", "version": {"version_data": [{"version_value": "6.5.0,6.5.1,8.0.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "There is an improper file upload control vulnerability in FusionCompute 6.5.0, 6.5.1 and 8.0.0. Due to the improper verification of file to be uploaded and does not strictly restrict the file access path, attackers may upload malicious files to the device, resulting in the service abnormal."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper File Upload Control"}]}]}, "references": {"reference_data": [{"name": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210922-01-upload-en", "refsource": "MISC", "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210922-01-upload-en"}]}}}}, "cveMetadata": {"assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e", "assignerShortName": "huawei", "cveId": "CVE-2021-37105", "datePublished": "2021-09-28T14:03:53", "dateReserved": "2021-07-20T00:00:00", "dateUpdated": "2021-09-28T14:03:53", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:huawei:fusioncompute:6.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "EB149F98-77DF-40C3-A307-21D7B9BCB6DA", "vulnerable": true}, {"criteria": "cpe:2.3:a:huawei:fusioncompute:6.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "916284A3-6895-4F2C-9426-240F4EB7336F", "vulnerable": true}, {"criteria": "cpe:2.3:a:huawei:fusioncompute:8.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "5D251AD0-6227-4190-815F-B526F40D8A43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "There is an improper file upload control vulnerability in FusionCompute 6.5.0, 6.5.1 and 8.0.0. Due to the improper verification of file to be uploaded and does not strictly restrict the file access path, attackers may upload malicious files to the device, resulting in the service abnormal."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de control de carga de archivos inapropiada en FusionCompute versiones 6.5.0, 6.5.1 y 8.0.0. Debido a una comprobaci\u00f3n inapropiada del archivo que se va a subir y a que no se restringe estrictamente la ruta de acceso al archivo, unos atacantes pueden subir archivos maliciosos al dispositivo, resultando en un servicio anormal"}], "id": "CVE-2021-37105", "lastModified": "2021-10-06T19:10:19.910", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-28T15:15:07.457", "references": [{"source": "psirt@huawei.com", "tags": ["Vendor Advisory"], "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210922-01-upload-en"}], "sourceIdentifier": "psirt@huawei.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}