CVE-2021-22549 - OpenCVE

An attacker can modify the address to point to trusted memory to overwrite arbitrary trusted memory. It is recommended to update past 0.6.2 or git commit https://github.com/google/asylo/commit/53ed5d8fd8118ced1466e509606dd2f473707a5c

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Google	Asylo

Configuration 1 [-]

cpe:2.3:a:google:asylo:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/google/asylo/commit/ecfcd0008b6f8f63c6fa3cc1b62fcd4a52f2c0ad

History

No history.

MITRE

Status: PUBLISHED

Assigner: Google

Published: 2021-06-08T13:15:14.120892Z

Updated: 2024-09-17T02:42:42.905Z

Reserved: 2021-01-05T00:00:00

Link: CVE-2021-22549

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-06-08T14:15:07.747

Modified: 2022-10-25T16:16:17.173

Link: CVE-2021-22549

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Asylo", "vendor": "Google LLC", "versions": [{"lessThanOrEqual": "0.6.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Qinkun Bao (Baidu Security)"}, {"lang": "en", "value": "Zhaofeng Chen (Baidu Security)"}, {"lang": "en", "value": "Mingshen Sun (Baidu Security)"}, {"lang": "en", "value": "Kang Li (Baidu Security)"}], "datePublic": "2021-03-12T00:00:00", "descriptions": [{"lang": "en", "value": "An attacker can modify the address to point to trusted memory to overwrite arbitrary trusted memory. It is recommended to update past 0.6.2 or git commit https://github.com/google/asylo/commit/53ed5d8fd8118ced1466e509606dd2f473707a5c"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-823", "description": "CWE-823 Use of Out-of-range Pointer Offset", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-08T13:15:14", "orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/google/asylo/commit/ecfcd0008b6f8f63c6fa3cc1b62fcd4a52f2c0ad"}], "source": {"discovery": "EXTERNAL"}, "title": "Arbitrary enclave memory overwrite vulnerability in Asylo TrustedPrimitives::UntrustedCall", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@google.com", "DATE_PUBLIC": "2021-03-12T11:00:00.000Z", "ID": "CVE-2021-22549", "STATE": "PUBLIC", "TITLE": "Arbitrary enclave memory overwrite vulnerability in Asylo TrustedPrimitives::UntrustedCall"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Asylo", "version": {"version_data": [{"version_affected": "<=", "version_value": "0.6.2"}]}}]}, "vendor_name": "Google LLC"}]}}, "credit": [{"lang": "eng", "value": "Qinkun Bao (Baidu Security)"}, {"lang": "eng", "value": "Zhaofeng Chen (Baidu Security)"}, {"lang": "eng", "value": "Mingshen Sun (Baidu Security)"}, {"lang": "eng", "value": "Kang Li (Baidu Security)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An attacker can modify the address to point to trusted memory to overwrite arbitrary trusted memory. It is recommended to update past 0.6.2 or git commit https://github.com/google/asylo/commit/53ed5d8fd8118ced1466e509606dd2f473707a5c"}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-823 Use of Out-of-range Pointer Offset"}]}]}, "references": {"reference_data": [{"name": "https://github.com/google/asylo/commit/ecfcd0008b6f8f63c6fa3cc1b62fcd4a52f2c0ad", "refsource": "MISC", "url": "https://github.com/google/asylo/commit/ecfcd0008b6f8f63c6fa3cc1b62fcd4a52f2c0ad"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:44:13.701Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/google/asylo/commit/ecfcd0008b6f8f63c6fa3cc1b62fcd4a52f2c0ad"}]}]}, "cveMetadata": {"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "assignerShortName": "Google", "cveId": "CVE-2021-22549", "datePublished": "2021-06-08T13:15:14.120892Z", "dateReserved": "2021-01-05T00:00:00", "dateUpdated": "2024-09-17T02:42:42.905Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:asylo:*:*:*:*:*:*:*:*", "matchCriteriaId": "2615C1EA-2906-4CF3-ADD5-D4719F441060", "versionEndExcluding": "0.6.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An attacker can modify the address to point to trusted memory to overwrite arbitrary trusted memory. It is recommended to update past 0.6.2 or git commit https://github.com/google/asylo/commit/53ed5d8fd8118ced1466e509606dd2f473707a5c"}, {"lang": "es", "value": "Un atacante puede modificar la direcci\u00f3n para que apunte a la memoria confiable para sobrescribir la memoria confiable arbitraria. Se recomienda actualizar a partir de la versi\u00f3n 0.6.2 o del commit de git https://github.com/google/asylo/commit/53ed5d8fd8118ced1466e509606dd2f473707a5c"}], "id": "CVE-2021-22549", "lastModified": "2022-10-25T16:16:17.173", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.5, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2021-06-08T14:15:07.747", "references": [{"source": "cve-coordination@google.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/google/asylo/commit/ecfcd0008b6f8f63c6fa3cc1b62fcd4a52f2c0ad"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-668"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-823"}], "source": "cve-coordination@google.com", "type": "Secondary"}]}