CVE-2021-42787 - OpenCVE

It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent's (DSA) AgentConfigurationServlet has directory traversal vulnerabilities at the "/api/appInternals/1.0/agent/configuration" API. The affected endpoint does not have any input validation of the user's input that allows a malicious payload to be injected.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Riverbed	Steelcentral Appinternals Dynamic Sampling Agent

Configuration 1 [-]

OR	cpe:2.3:a:riverbed:steelcentral_appinternals_dynamic_sampling_agent::::::::
	cpe:2.3:a:riverbed:steelcentral_appinternals_dynamic_sampling_agent::::::::
	cpe:2.3:a:riverbed:steelcentral_appinternals_dynamic_sampling_agent:10.0.0:::::::*

References

Link	Resource
https://aternity.force.com/customersuccess/s/article/Directory-Traversal-Write-Delete-Partial-Read-at-AgentConfigurationServlet-CVE-2021-42787	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GovTech CSG

Published: 2022-02-23T00:00:00

Updated: 2022-03-09T16:51:50

Reserved: 2021-10-21T00:00:00

Link: CVE-2021-42787

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-03-10T17:44:05.807

Modified: 2022-03-15T19:37:50.030

Link: CVE-2021-42787

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "SteelCentral AppInternals Dynamic Sampling Agent", "vendor": "Aternity", "versions": [{"status": "affected", "version": "10.x"}, {"lessThan": "12.13.0", "status": "affected", "version": "12.13.0", "versionType": "custom"}, {"lessThan": "11.8.8", "status": "affected", "version": "11.8.8", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Darrel Huang, Bjorn Lim, Leng Kang Hao from Government Technology Agency of Singapore"}], "datePublic": "2022-02-23T00:00:00", "descriptions": [{"lang": "en", "value": "It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent's (DSA) AgentConfigurationServlet has directory traversal vulnerabilities at the \"/api/appInternals/1.0/agent/configuration\" API. The affected endpoint does not have any input validation of the user's input that allows a malicious payload to be injected."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-09T16:51:50", "orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://aternity.force.com/customersuccess/s/article/Directory-Traversal-Write-Delete-Partial-Read-at-AgentConfigurationServlet-CVE-2021-42787"}], "source": {"discovery": "INTERNAL"}, "title": "Directory Traversal Write/Delete/Partial Read at AgentConfigurationServlet", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve_disclosure@tech.gov.sg", "DATE_PUBLIC": "2022-02-23T10:30:00.000Z", "ID": "CVE-2021-42787", "STATE": "PUBLIC", "TITLE": "Directory Traversal Write/Delete/Partial Read at AgentConfigurationServlet"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SteelCentral AppInternals Dynamic Sampling Agent", "version": {"version_data": [{"version_affected": "<", "version_name": "12.13.0", "version_value": "12.13.0"}, {"version_affected": "<", "version_name": "11.8.8", "version_value": "11.8.8"}, {"version_affected": "=", "version_name": "10.x", "version_value": "10.x"}]}}]}, "vendor_name": "Aternity"}]}}, "credit": [{"lang": "eng", "value": "Darrel Huang, Bjorn Lim, Leng Kang Hao from Government Technology Agency of Singapore"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent's (DSA) AgentConfigurationServlet has directory traversal vulnerabilities at the \"/api/appInternals/1.0/agent/configuration\" API. The affected endpoint does not have any input validation of the user's input that allows a malicious payload to be injected."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20 Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://aternity.force.com/customersuccess/s/article/Directory-Traversal-Write-Delete-Partial-Read-at-AgentConfigurationServlet-CVE-2021-42787", "refsource": "CONFIRM", "url": "https://aternity.force.com/customersuccess/s/article/Directory-Traversal-Write-Delete-Partial-Read-at-AgentConfigurationServlet-CVE-2021-42787"}]}, "source": {"discovery": "INTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "assignerShortName": "GovTech CSG", "cveId": "CVE-2021-42787", "datePublished": "2022-02-23T00:00:00", "dateReserved": "2021-10-21T00:00:00", "dateUpdated": "2022-03-09T16:51:50", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:riverbed:steelcentral_appinternals_dynamic_sampling_agent:*:*:*:*:*:*:*:*", "matchCriteriaId": "FA9EBF00-4071-41C0-B05A-D942ACAB5F1A", "versionEndExcluding": "11.8.8", "versionStartIncluding": "11.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:riverbed:steelcentral_appinternals_dynamic_sampling_agent:*:*:*:*:*:*:*:*", "matchCriteriaId": "021DA9F8-778D-485D-9F4C-395A44F1DFC7", "versionEndExcluding": "12.13.0", "versionStartIncluding": "12.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:riverbed:steelcentral_appinternals_dynamic_sampling_agent:10.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B0564060-A159-41DD-B5F0-C7212F1891E0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent's (DSA) AgentConfigurationServlet has directory traversal vulnerabilities at the \"/api/appInternals/1.0/agent/configuration\" API. The affected endpoint does not have any input validation of the user's input that allows a malicious payload to be injected."}, {"lang": "es", "value": "Se ha detectado que el agente de muestreo din\u00e1mico (DSA) AgentConfigurationServlet de SteelCentral AppInternals presenta vulnerabilidades salto de directorio en la API \"/api/appInternals/1.0/agent/configuration\". El endpoint afectado no presenta ninguna comprobaci\u00f3n de la entrada del usuario que permite inyectar una carga \u00fatil maliciosa"}], "id": "CVE-2021-42787", "lastModified": "2022-03-15T19:37:50.030", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.5, "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}, "published": "2022-03-10T17:44:05.807", "references": [{"source": "cve_disclosure@tech.gov.sg", "tags": ["Third Party Advisory"], "url": "https://aternity.force.com/customersuccess/s/article/Directory-Traversal-Write-Delete-Partial-Read-at-AgentConfigurationServlet-CVE-2021-42787"}], "sourceIdentifier": "cve_disclosure@tech.gov.sg", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}