CVE-2021-37104 - OpenCVE

There is a server-side request forgery vulnerability in HUAWEI P40 versions 10.1.0.118(C00E116R3P3). This vulnerability is due to insufficient validation of parameters while dealing with some messages. A successful exploit could allow the attacker to gain access to certain resource which the attacker are supposed not to do.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Huawei	P40 P40 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:huawei:p40_firmware:10.1.0.118\(c00e116r3p3\):*:*:*:*:*:*:*

cpe:2.3:h:huawei:p40:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210922-01-ssrf-en

History

No history.

MITRE

Status: PUBLISHED

Assigner: huawei

Published: 2021-09-28T14:01:27

Updated: 2024-08-04T01:09:07.823Z

Reserved: 2021-07-20T00:00:00

Link: CVE-2021-37104

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-09-28T15:15:07.407

Modified: 2021-10-06T19:28:37.400

Link: CVE-2021-37104

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "HUAWEI P40", "vendor": "n/a", "versions": [{"status": "affected", "version": "10.1.0.118(C00E116R3P3)"}]}], "descriptions": [{"lang": "en", "value": "There is a server-side request forgery vulnerability in HUAWEI P40 versions 10.1.0.118(C00E116R3P3). This vulnerability is due to insufficient validation of parameters while dealing with some messages. A successful exploit could allow the attacker to gain access to certain resource which the attacker are supposed not to do."}], "problemTypes": [{"descriptions": [{"description": "Server-Side Request Forgery", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-09-28T14:01:27", "orgId": "25ac1063-e409-4190-8079-24548c77ea2e", "shortName": "huawei"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210922-01-ssrf-en"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@huawei.com", "ID": "CVE-2021-37104", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "HUAWEI P40", "version": {"version_data": [{"version_value": "10.1.0.118(C00E116R3P3)"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "There is a server-side request forgery vulnerability in HUAWEI P40 versions 10.1.0.118(C00E116R3P3). This vulnerability is due to insufficient validation of parameters while dealing with some messages. A successful exploit could allow the attacker to gain access to certain resource which the attacker are supposed not to do."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Server-Side Request Forgery"}]}]}, "references": {"reference_data": [{"name": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210922-01-ssrf-en", "refsource": "MISC", "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210922-01-ssrf-en"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:09:07.823Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210922-01-ssrf-en"}]}]}, "cveMetadata": {"assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e", "assignerShortName": "huawei", "cveId": "CVE-2021-37104", "datePublished": "2021-09-28T14:01:27", "dateReserved": "2021-07-20T00:00:00", "dateUpdated": "2024-08-04T01:09:07.823Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:huawei:p40_firmware:10.1.0.118\\(c00e116r3p3\\):*:*:*:*:*:*:*", "matchCriteriaId": "10F19C3A-89ED-40B9-B652-8100D582CCCB", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:huawei:p40:-:*:*:*:*:*:*:*", "matchCriteriaId": "C1C2A5CA-8461-432B-9352-56B931B86C71", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "There is a server-side request forgery vulnerability in HUAWEI P40 versions 10.1.0.118(C00E116R3P3). This vulnerability is due to insufficient validation of parameters while dealing with some messages. A successful exploit could allow the attacker to gain access to certain resource which the attacker are supposed not to do."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de tipo server-side request forgery en las versiones 10.1.0.118(C00E116R3P3) del HUAWEI P40. Esta vulnerabilidad es debido a que no se comprueban suficientemente los par\u00e1metros mientras se tratan algunos mensajes. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante conseguir acceso a determinados recursos que se supone que no puede hacer"}], "id": "CVE-2021-37104", "lastModified": "2021-10-06T19:28:37.400", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-28T15:15:07.407", "references": [{"source": "psirt@huawei.com", "tags": ["Vendor Advisory"], "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210922-01-ssrf-en"}], "sourceIdentifier": "psirt@huawei.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Primary"}]}