CVE-2021-3436 - Vulnerability Details

Vendors	Products
Zephyrproject	Zephyr

Link	Providers
http://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "zephyr", "vendor": "zephyrproject-rtos", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "1.14.2", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "2.4.0", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "2.5.0", "versionType": "custom"}]}], "datePublic": "2021-06-11T00:00:00", "descriptions": [{"lang": "en", "value": "BT: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known. Zephyr versions >= 1.14.2, >= 2.4.0, >= 2.5.0 contain Use of Multiple Resources with Duplicate Identifier (CWE-694). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-694", "description": "Use of Multiple Resources with Duplicate Identifier (CWE-694)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-10-05T20:50:15", "orgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "shortName": "zephyr"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63"}], "source": {"defect": ["https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63"]}, "title": "BT: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vulnerabilities@zephyrproject.org", "DATE_PUBLIC": "2021-06-11T00:00:00.000Z", "ID": "CVE-2021-3436", "STATE": "PUBLIC", "TITLE": "BT: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "zephyr", "version": {"version_data": [{"version_affected": ">=", "version_value": "1.14.2"}, {"version_affected": ">=", "version_value": "2.4.0"}, {"version_affected": ">=", "version_value": "2.5.0"}]}}]}, "vendor_name": "zephyrproject-rtos"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "BT: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known. Zephyr versions >= 1.14.2, >= 2.4.0, >= 2.5.0 contain Use of Multiple Resources with Duplicate Identifier (CWE-694). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63"}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "environmentalScore": 4.3, "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 4.3, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Use of Multiple Resources with Duplicate Identifier (CWE-694)"}]}]}, "references": {"reference_data": [{"name": "http://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63", "refsource": "MISC", "url": "http://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63"}]}, "source": {"defect": ["https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63"]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T16:53:17.616Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63"}]}]}, "cveMetadata": {"assignerOrgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "assignerShortName": "zephyr", "cveId": "CVE-2021-3436", "datePublished": "2021-10-05T20:50:15.802366Z", "dateReserved": "2021-03-11T00:00:00", "dateUpdated": "2024-09-16T20:31:46.210Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : zephyr (string)

vendor : zephyrproject-rtos (string)

versions : [ »

0 : { »

lessThan : unspecified (string)

status : affected (string)

version : 1.14.2 (string)

versionType : custom (string)

}

1 : { »

lessThan : unspecified (string)

status : affected (string)

version : 2.4.0 (string)

versionType : custom (string)

}

2 : { »

lessThan : unspecified (string)

status : affected (string)

version : 2.5.0 (string)

versionType : custom (string)

}

]

}

]

datePublic : 2021-06-11T00:00:00 (string)

descriptions : [ »

0 : { »

lang : en (string)

value : BT: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known. Zephyr versions >= 1.14.2, >= 2.4.0, >= 2.5.0 contain Use of Multiple Resources with Duplicate Identifier (CWE-694). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63 (string)

}

]

metrics : [ »

0 : { »

cvssV3_1 : { »

attackComplexity : LOW (string)

attackVector : ADJACENT_NETWORK (string)

availabilityImpact : LOW (string)

baseScore : 4.3 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : NONE (string)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (string)

version : 3.1 (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

cweId : CWE-694 (string)

description : Use of Multiple Resources with Duplicate Identifier (CWE-694) (string)

lang : en (string)

type : CWE (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2021-10-05T20:50:15 (string)

orgId : e2e69745-5e70-4e92-8431-deb5529a81ad (string)

shortName : zephyr (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : http://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63 (string)

}

]

source : { »

defect : [ »

0 : https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63 (string)

]

}

title : BT: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known (string)

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : vulnerabilities@zephyrproject.org (string)

DATE_PUBLIC : 2021-06-11T00:00:00.000Z (string)

ID : CVE-2021-3436 (string)

STATE : PUBLIC (string)

TITLE : BT: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : zephyr (string)

version : { »

version_data : [ »

0 : { »

version_affected : >= (string)

version_value : 1.14.2 (string)

}

1 : { »

version_affected : >= (string)

version_value : 2.4.0 (string)

}

2 : { »

version_affected : >= (string)

version_value : 2.5.0 (string)

}

]

}

]

}

vendor_name : zephyrproject-rtos (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : BT: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known. Zephyr versions >= 1.14.2, >= 2.4.0, >= 2.5.0 contain Use of Multiple Resources with Duplicate Identifier (CWE-694). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63 (string)

}

]

}

impact : { »

cvss : { »

attackComplexity : LOW (string)

attackVector : ADJACENT_NETWORK (string)

availabilityImpact : LOW (string)

baseScore : 4.3 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : NONE (string)

environmentalScore : 4.3 (number)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

temporalScore : 4.3 (number)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (string)

version : 3.1 (string)

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : Use of Multiple Resources with Duplicate Identifier (CWE-694) (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : http://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63 (string)

refsource : MISC (string)

url : http://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63 (string)

}

]

}

source : { »

defect : [ »

0 : https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63 (string)

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-03T16:53:17.616Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : http://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63 (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : e2e69745-5e70-4e92-8431-deb5529a81ad (string)

assignerShortName : zephyr (string)

cveId : CVE-2021-3436 (string)

datePublished : 2021-10-05T20:50:15.802366Z (string)

dateReserved : 2021-03-11T00:00:00 (string)

dateUpdated : 2024-09-16T20:31:46.210Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zephyrproject:zephyr:1.14.2:*:*:*:*:*:*:*", "matchCriteriaId": "B74694FC-5442-4F7E-AACF-0E1753F50148", "vulnerable": true}, {"criteria": "cpe:2.3:o:zephyrproject:zephyr:2.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "59AB4423-CBB9-4BC1-9FBB-2690DAA3FDF8", "vulnerable": true}, {"criteria": "cpe:2.3:o:zephyrproject:zephyr:2.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "CAA88796-7B3D-4328-BAFA-D28BFBE601D9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "BT: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known. Zephyr versions >= 1.14.2, >= 2.4.0, >= 2.5.0 contain Use of Multiple Resources with Duplicate Identifier (CWE-694). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63"}, {"lang": "es", "value": "BT: Posibilidad de sobrescribir un v\u00ednculo existente durante la fase de distribuci\u00f3n de claves cuando se conoce la direcci\u00f3n de identidad del v\u00ednculo. Zephyr versiones posteriores a 1.14.2 incluy\u00e9ndola, versiones posteriores a 2.4.0 incluy\u00e9ndola, versiones posteriores a 2.5.0 incluy\u00e9ndola, contienen Uso de M\u00faltiples Recursos con Identificador Duplicado (CWE-694). Para m\u00e1s informaci\u00f3n, consulte https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63"}], "id": "CVE-2021-3436", "lastModified": "2024-11-21T06:21:30.360", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "vulnerabilities@zephyrproject.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-10-05T21:15:09.293", "references": [{"source": "vulnerabilities@zephyrproject.org", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "http://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "http://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63"}], "sourceIdentifier": "vulnerabilities@zephyrproject.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-694"}], "source": "vulnerabilities@zephyrproject.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:o:zephyrproject:zephyr:1.14.2:*:*:*:*:*:*:* (string)

matchCriteriaId : B74694FC-5442-4F7E-AACF-0E1753F50148 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:o:zephyrproject:zephyr:2.4.0:*:*:*:*:*:*:* (string)

matchCriteriaId : 59AB4423-CBB9-4BC1-9FBB-2690DAA3FDF8 (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:o:zephyrproject:zephyr:2.5.0:*:*:*:*:*:*:* (string)

matchCriteriaId : CAA88796-7B3D-4328-BAFA-D28BFBE601D9 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : BT: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known. Zephyr versions >= 1.14.2, >= 2.4.0, >= 2.5.0 contain Use of Multiple Resources with Duplicate Identifier (CWE-694). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63 (string)

}

1 : { »

lang : es (string)

value : BT: Posibilidad de sobrescribir un vínculo existente durante la fase de distribución de claves cuando se conoce la dirección de identidad del vínculo. Zephyr versiones posteriores a 1.14.2 incluyéndola, versiones posteriores a 2.4.0 incluyéndola, versiones posteriores a 2.5.0 incluyéndola, contienen Uso de Múltiples Recursos con Identificador Duplicado (CWE-694). Para más información, consulte https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63 (string)

}

]

id : CVE-2021-3436 (string)

lastModified : 2024-11-21T06:21:30.360 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : MEDIUM (string)

cvssData : { »

accessComplexity : LOW (string)

accessVector : NETWORK (string)

authentication : NONE (string)

availabilityImpact : PARTIAL (string)

baseScore : 6.4 (number)

confidentialityImpact : NONE (string)

integrityImpact : PARTIAL (string)

vectorString : AV:N/AC:L/Au:N/C:N/I:P/A:P (string)

version : 2.0 (string)

}

exploitabilityScore : 10 (number)

impactScore : 4.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : ADJACENT_NETWORK (string)

availabilityImpact : LOW (string)

baseScore : 4.3 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : NONE (string)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (string)

version : 3.1 (string)

}

exploitabilityScore : 2.8 (number)

impactScore : 1.4 (number)

source : vulnerabilities@zephyrproject.org (string)

type : Secondary (string)

}

1 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : LOW (string)

baseScore : 6.5 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : NONE (string)

integrityImpact : LOW (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L (string)

version : 3.1 (string)

}

exploitabilityScore : 3.9 (number)

impactScore : 2.5 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2021-10-05T21:15:09.293 (string)

references : [ »

0 : { »

source : vulnerabilities@zephyrproject.org (string)

tags : [ »

0 : Exploit (string)

1 : Patch (string)

2 : Third Party Advisory (string)

]

url : http://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63 (string)

}

1 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Exploit (string)

1 : Patch (string)

2 : Third Party Advisory (string)

]

url : http://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63 (string)

}

]

sourceIdentifier : vulnerabilities@zephyrproject.org (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-694 (string)

}

]

source : vulnerabilities@zephyrproject.org (string)

type : Secondary (string)

}

1 : { »

description : [ »

0 : { »

lang : en (string)

value : NVD-CWE-Other (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object