Details of VAR-202106-0617

ID

VAR-202106-0617

CVE

CVE-2021-22361

TITLE

eCNS280 and eSE620X vESS Authentication Vulnerability in Microsoft

Trust: 0.8

sources: JVNDB: JVNDB-2021-008569

DESCRIPTION

There is an improper authorization vulnerability in eCNS280 V100R005C00, V100R005C10 and eSE620X vESS V100R001C10SPC200, V100R001C20SPC200. A file access is not authorized correctly. Attacker with low access may launch privilege escalation in a specific scenario. This may compromise the normal service. eCNS280 and eSE620X vESS Contains an improper authentication vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Huawei eCNS280_TD is the core network device of Huawei's wireless broadband trunking system. The Huawei ESE620X vESS is a virtual enterprise service controller from the Chinese company Huawei. An attacker could exploit the vulnerability to bypass the authorization process on the target system. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.7

sources: NVD: CVE-2021-22361 // JVNDB: JVNDB-2021-008569 // CNVD: CNVD-2022-20324 // CNNVD: CNNVD-202104-975

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-20324

AFFECTED PRODUCTS

vendor:	huawei	model:	ecns280	scope:	eq	version:	v100r005c10	Trust: 1.0
vendor:	huawei	model:	ese620x vess	scope:	eq	version:	v100r001c10spc200	Trust: 1.0
vendor:	huawei	model:	ese620x vess	scope:	eq	version:	v100r001c20spc200	Trust: 1.0
vendor:	huawei	model:	ecns280	scope:	eq	version:	v100r005c00	Trust: 1.0
vendor:	huawei	model:	ese620x vess	scope:	-	version:	-	Trust: 0.8
vendor:	huawei	model:	ecns280	scope:	-	version:	-	Trust: 0.8
vendor:	huawei	model:	ecns280 v100r005c00	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	ecns280 v100r005c10	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	ese620x vess v100r001c10spc200	scope:	-	version:	-	Trust: 0.6
vendor:	huawei	model:	ese620x vess v100r001c20spc200	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2022-20324 // JVNDB: JVNDB-2021-008569 // NVD: CVE-2021-22361

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-22361
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-22361
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2022-20324
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202105-1354
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2021-22361
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2022-20324
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-22361
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2021-22361
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-20324 // JVNDB: JVNDB-2021-008569 // CNNVD: CNNVD-202105-1354 // CNNVD: CNNVD-202104-975 // NVD: CVE-2021-22361

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	Bad authentication (CWE-863) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-008569 // NVD: CVE-2021-22361

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202105-1354

TYPE

other

Trust: 1.2

sources: CNNVD: CNNVD-202105-1354 // CNNVD: CNNVD-202104-975

PATCH

title:	huawei-sa-20210519-02-cgp	url:	https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210519-02-cgp-en	Trust: 0.8
title:	Patch for Huawei eCNS280_TD and ESE620X vESS authorization issue vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/326166	Trust: 0.6
title:	Huawei eCNS280 Remediation measures for authorization problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=155518	Trust: 0.6

sources: CNVD: CNVD-2022-20324 // JVNDB: JVNDB-2021-008569 // CNNVD: CNNVD-202105-1354

EXTERNAL IDS

db:	NVD	id:	CVE-2021-22361	Trust: 3.8
db:	JVNDB	id:	JVNDB-2021-008569	Trust: 0.8
db:	CNVD	id:	CNVD-2022-20324	Trust: 0.6
db:	CS-HELP	id:	SB2021052113	Trust: 0.6
db:	CNNVD	id:	CNNVD-202105-1354	Trust: 0.6
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6

sources: CNVD: CNVD-2022-20324 // JVNDB: JVNDB-2021-008569 // CNNVD: CNNVD-202105-1354 // CNNVD: CNNVD-202104-975 // NVD: CVE-2021-22361

REFERENCES

url:	https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210519-02-cgp-en	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2021-22361	Trust: 1.4
url:	https://www.cybersecurity-help.cz/vdb/sb2021052113	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6

sources: CNVD: CNVD-2022-20324 // JVNDB: JVNDB-2021-008569 // CNNVD: CNNVD-202105-1354 // CNNVD: CNNVD-202104-975 // NVD: CVE-2021-22361

SOURCES

db:	CNVD	id:	CNVD-2022-20324
db:	JVNDB	id:	JVNDB-2021-008569
db:	CNNVD	id:	CNNVD-202105-1354
db:	CNNVD	id:	CNNVD-202104-975
db:	NVD	id:	CVE-2021-22361

LAST UPDATE DATE

2024-08-14T13:05:20.278000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-20324	date:	2022-03-17T00:00:00
db:	JVNDB	id:	JVNDB-2021-008569	date:	2022-03-18T09:13:00
db:	CNNVD	id:	CNNVD-202105-1354	date:	2022-05-06T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	NVD	id:	CVE-2021-22361	date:	2022-05-03T16:04:40.443

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-20324	date:	2022-03-17T00:00:00
db:	JVNDB	id:	JVNDB-2021-008569	date:	2022-03-18T00:00:00
db:	CNNVD	id:	CNNVD-202105-1354	date:	2021-05-21T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	NVD	id:	CVE-2021-22361	date:	2021-06-22T18:15:07.960