CVE-2021-25654 - OpenCVE

An arbitrary code execution vulnerability was discovered in Avaya Aura Device Services that may potentially allow a local user to execute specially crafted scripts. Affects 7.0 through 8.1.4.0 versions of Avaya Aura Device Services.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Avaya	Aura Device Services

Configuration 1 [-]

cpe:2.3:a:avaya:aura_device_services:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://support.avaya.com/css/P8/documents/101076523

History

No history.

MITRE

Status: PUBLISHED

Assigner: avaya

Published: 2021-06-25T20:15:12

Updated: 2024-08-03T20:11:28.332Z

Reserved: 2021-01-21T00:00:00

Link: CVE-2021-25654

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-06-25T21:15:07.527

Modified: 2022-08-01T12:20:42.247

Link: CVE-2021-25654

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Avaya Aura Devices Services", "vendor": "Avaya", "versions": [{"lessThanOrEqual": "8.1.4.0", "status": "affected", "version": "7.0.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "An arbitrary code execution vulnerability was discovered in Avaya Aura Device Services that may potentially allow a local user to execute specially crafted scripts. Affects 7.0 through 8.1.4.0 versions of Avaya Aura Device Services."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-378", "description": "CWE-378", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-25T20:15:12", "orgId": "9d670455-bdb5-4cca-a883-5914865f5d96", "shortName": "avaya"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://support.avaya.com/css/P8/documents/101076523"}], "source": {"advisory": "ASA-2021-088", "defect": ["PSST-1147"], "discovery": "EXTERNAL"}, "title": "Avaya Aura Device Services Arbitrary Code Execution Vulnerability", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "securityalerts@avaya.com", "ID": "CVE-2021-25654", "STATE": "PUBLIC", "TITLE": "Avaya Aura Device Services Arbitrary Code Execution Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Avaya Aura Devices Services", "version": {"version_data": [{"affected": "<=", "version_affected": "<=", "version_name": "7.0.0", "version_value": "8.1.4.0"}]}}]}, "vendor_name": "Avaya"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An arbitrary code execution vulnerability was discovered in Avaya Aura Device Services that may potentially allow a local user to execute specially crafted scripts. Affects 7.0 through 8.1.4.0 versions of Avaya Aura Device Services."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-378"}]}]}, "references": {"reference_data": [{"name": "https://support.avaya.com/css/P8/documents/101076523", "refsource": "MISC", "url": "https://support.avaya.com/css/P8/documents/101076523"}]}, "source": {"advisory": "ASA-2021-088", "defect": ["PSST-1147"], "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:11:28.332Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://support.avaya.com/css/P8/documents/101076523"}]}]}, "cveMetadata": {"assignerOrgId": "9d670455-bdb5-4cca-a883-5914865f5d96", "assignerShortName": "avaya", "cveId": "CVE-2021-25654", "datePublished": "2021-06-25T20:15:12", "dateReserved": "2021-01-21T00:00:00", "dateUpdated": "2024-08-03T20:11:28.332Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:avaya:aura_device_services:*:*:*:*:*:*:*:*", "matchCriteriaId": "BE7C5DA6-FE66-4538-8AD8-1E9D1582AD18", "versionEndIncluding": "8.1.4.0", "versionStartIncluding": "7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An arbitrary code execution vulnerability was discovered in Avaya Aura Device Services that may potentially allow a local user to execute specially crafted scripts. Affects 7.0 through 8.1.4.0 versions of Avaya Aura Device Services."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad de ejecuci\u00f3n de c\u00f3digo arbitraria en Avaya Aura Device Services, que puede permitir a un usuario local ejecutar scripts especialmente dise\u00f1ados. Afecta a versiones 7.0 hasta 8.1.4.0 de Avaya Aura Device Services"}], "id": "CVE-2021-25654", "lastModified": "2022-08-01T12:20:42.247", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.5, "source": "securityalerts@avaya.com", "type": "Secondary"}]}, "published": "2021-06-25T21:15:07.527", "references": [{"source": "securityalerts@avaya.com", "tags": ["Vendor Advisory"], "url": "https://support.avaya.com/css/P8/documents/101076523"}], "sourceIdentifier": "securityalerts@avaya.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-378"}], "source": "securityalerts@avaya.com", "type": "Secondary"}]}