CVE-2021-3840

A dependency confusion vulnerability was reported in the Antilles open-source software prior to version 1.0.1 that could allow for remote code execution during installation due to a package listed in requirements.txt not existing in the public package index (PyPi). MITRE classifies this weakness as an Uncontrolled Search Path Element (CWE-427) in which a private package dependency may be replaced by an unauthorized package of the same name published to a well-known public repository such as PyPi. The configuration has been updated to only install components built by Antilles, removing all other public package indexes. Additionally, the antilles-tools dependency has been published to PyPi.

CVSS v3 8.8 HIGH
CVSS v2.0 6.8 MEDIUM

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/lenovo/Antilles/security/advisories/GHSA-hgc3-hp6x-wpgx	Patch Third Party Advisory
https://github.com/lenovo/Antilles/security/advisories/GHSA-hgc3-hp6x-wpgx	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lenovo:antilles:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-11-12 22:15

Updated : 2024-11-21 06:22

NVD link : CVE-2021-3840

Mitre link : CVE-2021-3840

CVE.ORG link : CVE-2021-3840

JSON object : View

Products Affected

lenovo

antilles

CWE

CWE-427

Uncontrolled Search Path Element

{"id": "CVE-2021-3840", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Secondary", "source": "psirt@lenovo.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2021-11-12T22:15:08.527", "references": [{"url": "https://github.com/lenovo/Antilles/security/advisories/GHSA-hgc3-hp6x-wpgx", "tags": ["Patch", "Third Party Advisory"], "source": "psirt@lenovo.com"}, {"url": "https://github.com/lenovo/Antilles/security/advisories/GHSA-hgc3-hp6x-wpgx", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "psirt@lenovo.com", "description": [{"lang": "en", "value": "CWE-427"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-427"}]}], "descriptions": [{"lang": "en", "value": "A dependency confusion vulnerability was reported in the Antilles open-source software prior to version 1.0.1 that could allow for remote code execution during installation due to a package listed in requirements.txt not existing in the public package index (PyPi). MITRE classifies this weakness as an Uncontrolled Search Path Element (CWE-427) in which a private package dependency may be replaced by an unauthorized package of the same name published to a well-known public repository such as PyPi. The configuration has been updated to only install components built by Antilles, removing all other public package indexes. Additionally, the antilles-tools dependency has been published to PyPi."}, {"lang": "es", "value": "Se ha informado de una vulnerabilidad de confusi\u00f3n de dependencias en el software de c\u00f3digo abierto Antilles versiones anteriores a 1.0.1, que podr\u00eda permitir una ejecuci\u00f3n de c\u00f3digo remota durante la instalaci\u00f3n debido a que un paquete enumerado en el archivo requirements.txt no se presenta en el \u00edndice de paquetes p\u00fablicos (PyPi). MITRE clasifica esta debilidad como un elemento de ruta de b\u00fasqueda no controlada (CWE-427) en el que una dependencia de un paquete privado puede ser sustituida por un paquete no autorizado del mismo nombre publicado en un repositorio p\u00fablico conocido como PyPi. La configuraci\u00f3n ha sido actualizada para instalar \u00fanicamente componentes construidos por Antilles, eliminando todos los dem\u00e1s \u00edndices de paquetes p\u00fablicos. Adem\u00e1s, la dependencia de antilles-tools ha sido publicada en PyPi"}], "lastModified": "2024-11-21T06:22:36.553", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:antilles:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "19651DE8-7990-4686-913B-2F72902A3DAA", "versionEndExcluding": "1.0.1"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@lenovo.com"}