CVE-2021-3661 - Vulnerability Details

A potential security vulnerability has been identified in certain HP Workstation BIOS (UEFI firmware) which may allow arbitrary code execution. HP is releasing firmware mitigations for the potential vulnerability.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01029.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Hp	Z1 All-in-one G3 Z1 All-in-one G3 Firmware Z238 Microtower Z238 Microtower Firmware Z240 Small Form Factor Z240 Small Form Factor Firmware Z240 Tower Z240 Tower Firmware Z2 Mini G3 Z2 Mini G3 Firmware Z2 Mini G4 Z2 Mini G4 Firmware Z2 Mini G5 Z2 Mini G5 Firmware Z2 Small Form Factor G4 Z2 Small Form Factor G4 Firmware Z2 Small Form Factor G5 Z2 Small Form Factor G5 Firmware Z2 Small Form Factor G8 Z2 Small Form Factor G8 Firmware Z2 Tower G4 Z2 Tower G4 Firmware Z2 Tower G5 Z2 Tower G5 Firmware Z2 Tower G8 Z2 Tower G8 Firmware Z440 Z440 Firmware Z4 G4 Z4 G4 Firmware Z640 Z640 Firmware Z6 G4 Z6 G4 Firmware Z840 Z840 Firmware Z8 G4 Z8 G4 Firmware Zcentral 4r Zcentral 4r Firmware

Configuration 1 [-]

AND

cpe:2.3:o:hp:z1_all-in-one_g3_firmware:01.31:*:*:*:*:*:*:*

cpe:2.3:h:hp:z1_all-in-one_g3:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:hp:z2_mini_g3_firmware:01.83:*:*:*:*:*:*:*

cpe:2.3:h:hp:z2_mini_g3:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:hp:z2_mini_g4_firmware:01.08.01:*:*:*:*:*:*:*

cpe:2.3:h:hp:z2_mini_g4:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:hp:z2_mini_g5_firmware:01.03.00_rev_a:*:*:*:*:*:*:*

cpe:2.3:h:hp:z2_mini_g5:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:hp:z2_small_form_factor_g4_firmware:01.08.01:*:*:*:*:*:*:*

cpe:2.3:h:hp:z2_small_form_factor_g4:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:hp:z2_small_form_factor_g5_firmware:01.03.00_rev_a:*:*:*:*:*:*:*

cpe:2.3:h:hp:z2_small_form_factor_g5:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:hp:z2_small_form_factor_g8_firmware:01.03.00_rev_a:*:*:*:*:*:*:*

cpe:2.3:h:hp:z2_small_form_factor_g8:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:o:hp:z2_tower_g4_firmware:01.08.01:*:*:*:*:*:*:*

cpe:2.3:h:hp:z2_tower_g4:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND

cpe:2.3:o:hp:z2_tower_g5_firmware:01.03.00_rev_a:*:*:*:*:*:*:*

cpe:2.3:h:hp:z2_tower_g5:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND

cpe:2.3:o:hp:z2_tower_g8_firmware:01.03.00_rev_a:*:*:*:*:*:*:*

cpe:2.3:h:hp:z2_tower_g8:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND

cpe:2.3:o:hp:z238_microtower_firmware:01.83:*:*:*:*:*:*:*

cpe:2.3:h:hp:z238_microtower:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND

cpe:2.3:o:hp:z240_small_form_factor_firmware:01.83:*:*:*:*:*:*:*

cpe:2.3:h:hp:z240_small_form_factor:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND

cpe:2.3:o:hp:z240_tower_firmware:01.83:*:*:*:*:*:*:*

cpe:2.3:h:hp:z240_tower:-:*:*:*:*:*:*:*

Configuration 14 [-]

AND

cpe:2.3:o:hp:z4_g4_firmware:02.75:*:*:*:*:*:*:*

cpe:2.3:h:hp:z4_g4:-:*:*:*:*:*:*:*

Configuration 15 [-]

AND

cpe:2.3:o:hp:z440_firmware:2.58:*:*:*:*:*:*:*

cpe:2.3:h:hp:z440:-:*:*:*:*:*:*:*

Configuration 16 [-]

AND

cpe:2.3:o:hp:z6_g4_firmware:02.75:*:*:*:*:*:*:*

cpe:2.3:h:hp:z6_g4:-:*:*:*:*:*:*:*

Configuration 17 [-]

AND

cpe:2.3:o:hp:z640_firmware:2.58:*:*:*:*:*:*:*

cpe:2.3:h:hp:z640:-:*:*:*:*:*:*:*

Configuration 18 [-]

AND

cpe:2.3:o:hp:z8_g4_firmware:02.75:*:*:*:*:*:*:*

cpe:2.3:h:hp:z8_g4:-:*:*:*:*:*:*:*

Configuration 19 [-]

AND

cpe:2.3:o:hp:z840_firmware:2.58:*:*:*:*:*:*:*

cpe:2.3:h:hp:z840:-:*:*:*:*:*:*:*

Configuration 20 [-]

AND

cpe:2.3:o:hp:zcentral_4r_firmware:01.18:*:*:*:*:*:*:*

cpe:2.3:h:hp:zcentral_4r:-:*:*:*:*:*:*:*

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2021-26956	A potential security vulnerability has been identified in certain HP Workstation BIOS (UEFI firmware) which may allow arbitrary code execution. HP is releasing firmware mitigations for the potential vulnerability.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://support.hp.com/us-en/document/ish_5670997-5671021-16/hpsbhf03770

History

Tue, 29 Apr 2025 05:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-94
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: hp

Published: 2022-11-21T21:19:42.950Z

Updated: 2025-04-29T04:44:48.739Z

Reserved: 2021-07-23T00:21:54.040Z

Link: CVE-2021-3661

Vulnrichment

Updated: 2024-08-03T17:01:07.807Z

NVD

Status : Modified

Published: 2022-12-12T13:15:11.693

Modified: 2025-04-29T05:15:40.660

Link: CVE-2021-3661

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object