CVE-2021-22685 - Vulnerability Details - OpenCVE

An attacker may be able to use minify route with a relative path to view any file on the Cassia Networks Access Controller prior to 2.0.1.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Cassianetworks	Access Controller

Configuration 1 [-]

cpe:2.3:a:cassianetworks:access_controller:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.cassianetworks.com/support/knowledge-base/
https://www.cisa.gov/uscert/ics/advisories/icsa-21-119-02

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2022-10-14T00:00:00

Updated: 2024-08-03T18:51:07.052Z

Reserved: 2021-01-05T00:00:00

Link: CVE-2021-22685

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-10-14T17:15:10.390

Modified: 2024-11-21T05:50:28.590

Link: CVE-2021-22685

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-22685", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "dateUpdated": "2024-08-03T18:51:07.052Z", "dateReserved": "2021-01-05T00:00:00", "datePublished": "2022-10-14T00:00:00"}, "containers": {"cna": {"title": "Cassia Networks Access Controller Path Traversal", "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2022-10-14T00:00:00"}, "descriptions": [{"lang": "en", "value": "An attacker may be able to use minify route with a relative path to view any file on the Cassia Networks Access Controller prior to 2.0.1."}], "affected": [{"vendor": "Cassia Networks", "product": "Access Controller", "versions": [{"version": "unspecified", "lessThan": "2.0.1", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-119-02"}, {"url": "https://www.cassianetworks.com/support/knowledge-base/"}], "credits": [{"lang": "en", "value": "Amir Preminger and Sharon Brizinov of Claroty reported this vulnerability to CISA."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"discovery": "EXTERNAL"}, "solutions": [{"lang": "en", "value": "Cassia Networks has released a patch (https://www.cassianetworks.com/support/knowledge-base/) that mitigates the reported vulnerability."}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:51:07.052Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-119-02", "tags": ["x_transferred"]}, {"url": "https://www.cassianetworks.com/support/knowledge-base/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cassianetworks:access_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "0A3360C3-90D1-4B4B-AC80-7C5F3D864ED2", "versionEndExcluding": "2.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An attacker may be able to use minify route with a relative path to view any file on the Cassia Networks Access Controller prior to 2.0.1."}, {"lang": "es", "value": "Un atacante puede ser capaz de usar minify route con una ruta relativa para visualizar cualquier archivo en Cassia Networks Access Controller versiones anteriores a 2.0.1"}], "id": "CVE-2021-22685", "lastModified": "2024-11-21T05:50:28.590", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-14T17:15:10.390", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Vendor Advisory"], "url": "https://www.cassianetworks.com/support/knowledge-base/"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-119-02"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.cassianetworks.com/support/knowledge-base/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-119-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}