CVE-2021-43269 - OpenCVE

In Code42 app before 8.8.0, eval injection allows an attacker to change a device’s proxy configuration to use a malicious proxy auto-config (PAC) file, leading to arbitrary code execution. This affects Incydr Basic, Advanced, and Gov F1; CrashPlan Cloud; and CrashPlan for Small Business. (Incydr Professional and Enterprise are unaffected.)

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Code42	Code42

Configuration 1 [-]

cpe:2.3:a:code42:code42:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://support.code42.com/Terms_and_conditions/Code42_customer_support_resources/Code42_security_advisories/Arbitrary_code_execution_via_malicious_Code42_app_proxy_configuration
https://www.code42.com/r/support/CVE-2021-43269

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-01-20T01:44:17

Updated: 2024-08-04T03:55:28.423Z

Reserved: 2021-11-02T00:00:00

Link: CVE-2021-43269

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-01-20T02:15:06.840

Modified: 2022-07-12T17:42:04.277

Link: CVE-2021-43269

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In Code42 app before 8.8.0, eval injection allows an attacker to change a device\u2019s proxy configuration to use a malicious proxy auto-config (PAC) file, leading to arbitrary code execution. This affects Incydr Basic, Advanced, and Gov F1; CrashPlan Cloud; and CrashPlan for Small Business. (Incydr Professional and Enterprise are unaffected.)"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-01-20T01:44:17", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://support.code42.com/Terms_and_conditions/Code42_customer_support_resources/Code42_security_advisories/Arbitrary_code_execution_via_malicious_Code42_app_proxy_configuration"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.code42.com/r/support/CVE-2021-43269"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-43269", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Code42 app before 8.8.0, eval injection allows an attacker to change a device\u2019s proxy configuration to use a malicious proxy auto-config (PAC) file, leading to arbitrary code execution. This affects Incydr Basic, Advanced, and Gov F1; CrashPlan Cloud; and CrashPlan for Small Business. (Incydr Professional and Enterprise are unaffected.)"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://support.code42.com/Terms_and_conditions/Code42_customer_support_resources/Code42_security_advisories/Arbitrary_code_execution_via_malicious_Code42_app_proxy_configuration", "refsource": "CONFIRM", "url": "https://support.code42.com/Terms_and_conditions/Code42_customer_support_resources/Code42_security_advisories/Arbitrary_code_execution_via_malicious_Code42_app_proxy_configuration"}, {"name": "https://www.code42.com/r/support/CVE-2021-43269", "refsource": "CONFIRM", "url": "https://www.code42.com/r/support/CVE-2021-43269"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:55:28.423Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.code42.com/Terms_and_conditions/Code42_customer_support_resources/Code42_security_advisories/Arbitrary_code_execution_via_malicious_Code42_app_proxy_configuration"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.code42.com/r/support/CVE-2021-43269"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-43269", "datePublished": "2022-01-20T01:44:17", "dateReserved": "2021-11-02T00:00:00", "dateUpdated": "2024-08-04T03:55:28.423Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:code42:code42:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9C68FBC-6D65-448A-965C-B1AC9F32F8AA", "versionEndExcluding": "8.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Code42 app before 8.8.0, eval injection allows an attacker to change a device\u2019s proxy configuration to use a malicious proxy auto-config (PAC) file, leading to arbitrary code execution. This affects Incydr Basic, Advanced, and Gov F1; CrashPlan Cloud; and CrashPlan for Small Business. (Incydr Professional and Enterprise are unaffected.)"}, {"lang": "es", "value": "En la aplicaci\u00f3n Code42 versiones anteriores a 8.8.0, una inyecci\u00f3n de evaluaci\u00f3n permite a un atacante cambiar la configuraci\u00f3n del proxy de un dispositivo para usar un archivo de configuraci\u00f3n autom\u00e1tica del proxy (PAC) malicioso, conllevando a una ejecuci\u00f3n de c\u00f3digo arbitrario. Esto afecta a Incydr Basic, Advanced, y Gov F1; CrashPlan Cloud; y CrashPlan for Small Business. (Incydr Professional y Enterprise no est\u00e1n afectados)"}], "id": "CVE-2021-43269", "lastModified": "2022-07-12T17:42:04.277", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-20T02:15:06.840", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://support.code42.com/Terms_and_conditions/Code42_customer_support_resources/Code42_security_advisories/Arbitrary_code_execution_via_malicious_Code42_app_proxy_configuration"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.code42.com/r/support/CVE-2021-43269"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}