OpenCVE

An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS) and OfficeScan XG SP1 could allow an unauthenticated user to obtain information about the contents of a scan connection exception file.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Microsoft	Windows
Trendmicro	Apex One Officescan

Configuration 1 [-]

AND

OR	cpe:2.3:a:trendmicro:apex_one:2019:::::::*
	cpe:2.3:a:trendmicro:officescan:xg:sp1::::::

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://success.trendmicro.com/solution/000284202
https://success.trendmicro.com/solution/000284205
https://www.zerodayinitiative.com/advisories/ZDI-21-105/

History

No history.

MITRE

Status: PUBLISHED

Assigner: trendmicro

Published: 2021-02-04T19:36:39

Updated: 2024-08-03T19:56:11.074Z

Reserved: 2021-01-15T00:00:00

Link: CVE-2021-25230

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-02-04T20:15:13.140

Modified: 2024-11-21T05:54:35.490

Link: CVE-2021-25230

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Trend Micro Apex One", "vendor": "Trend Micro", "versions": [{"status": "affected", "version": "2019, SaaS"}]}, {"product": "Trend Micro OfficeScan", "vendor": "Trend Micro", "versions": [{"status": "affected", "version": "XG SP1"}]}], "descriptions": [{"lang": "en", "value": "An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS) and OfficeScan XG SP1 could allow an unauthenticated user to obtain information about the contents of a scan connection exception file."}], "problemTypes": [{"descriptions": [{"description": "Improper Access Control Information Disclosure", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-02-04T19:36:39", "orgId": "7f7bd7df-cffe-4fdb-ab6d-859363b89272", "shortName": "trendmicro"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://success.trendmicro.com/solution/000284202"}, {"tags": ["x_refsource_MISC"], "url": "https://success.trendmicro.com/solution/000284205"}, {"tags": ["x_refsource_MISC"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-105/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@trendmicro.com", "ID": "CVE-2021-25230", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Trend Micro Apex One", "version": {"version_data": [{"version_value": "2019, SaaS"}]}}, {"product_name": "Trend Micro OfficeScan", "version": {"version_data": [{"version_value": "XG SP1"}]}}]}, "vendor_name": "Trend Micro"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS) and OfficeScan XG SP1 could allow an unauthenticated user to obtain information about the contents of a scan connection exception file."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Access Control Information Disclosure"}]}]}, "references": {"reference_data": [{"name": "https://success.trendmicro.com/solution/000284202", "refsource": "MISC", "url": "https://success.trendmicro.com/solution/000284202"}, {"name": "https://success.trendmicro.com/solution/000284205", "refsource": "MISC", "url": "https://success.trendmicro.com/solution/000284205"}, {"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-105/", "refsource": "MISC", "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-105/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:56:11.074Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://success.trendmicro.com/solution/000284202"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://success.trendmicro.com/solution/000284205"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-105/"}]}]}, "cveMetadata": {"assignerOrgId": "7f7bd7df-cffe-4fdb-ab6d-859363b89272", "assignerShortName": "trendmicro", "cveId": "CVE-2021-25230", "datePublished": "2021-02-04T19:36:39", "dateReserved": "2021-01-15T00:00:00", "dateUpdated": "2024-08-03T19:56:11.074Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:trendmicro:apex_one:2019:*:*:*:*:*:*:*", "matchCriteriaId": "AF019D2D-C426-4D2D-A254-442CE777B41E", "vulnerable": true}, {"criteria": "cpe:2.3:a:trendmicro:officescan:xg:sp1:*:*:*:*:*:*", "matchCriteriaId": "64600B42-4884-41F2-A683-AE1EDB79372E", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "An improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS) and OfficeScan XG SP1 could allow an unauthenticated user to obtain information about the contents of a scan connection exception file."}, {"lang": "es", "value": "Una vulnerabilidad de control de acceso inapropiado en Trend Micro Apex One (on premises y SaaS) y OfficeScan XG SP1, podr\u00eda permitir a un usuario no autenticado obtener informaci\u00f3n sobre el contenido de un archivo de excepci\u00f3n de conexi\u00f3n de escaneo"}], "id": "CVE-2021-25230", "lastModified": "2024-11-21T05:54:35.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-04T20:15:13.140", "references": [{"source": "security@trendmicro.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://success.trendmicro.com/solution/000284202"}, {"source": "security@trendmicro.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://success.trendmicro.com/solution/000284205"}, {"source": "security@trendmicro.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-105/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://success.trendmicro.com/solution/000284202"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://success.trendmicro.com/solution/000284205"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-105/"}], "sourceIdentifier": "security@trendmicro.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}