Lucene search

K
cve[email protected]CVE-2021-28204
HistoryApr 06, 2021 - 5:15 a.m.

CVE-2021-28204

2021-04-0605:15:17
CWE-78
web.nvd.nist.gov
29
2
asus
bmc
firmware
web management
command injection
cve-2021-28204
nvd

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.2 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

75.3%

The specific function in ASUS BMC’s firmware Web management page (Modify user’s information function) does not filter the specific parameter. As obtaining the administrator permission, remote attackers can launch command injection to execute command arbitrary.

Affected configurations

NVD
Node
asusz10pr-d16_firmwareMatch1.14.51
AND
asusz10pr-d16Match-
Node
asusasmb8-ikvm_firmwareMatch1.14.51
AND
asusasmb8-ikvmMatch-
Node
asusz10pe-d16_ws_firmwareMatch1.14.2
AND
asusz10pe-d16_wsMatch-

CNA Affected

[
  {
    "product": "BMC firmware for Z10PR-D16",
    "vendor": "ASUS",
    "versions": [
      {
        "status": "affected",
        "version": "1.14.51"
      }
    ]
  },
  {
    "product": "BMC firmware for ASMB8-iKVM",
    "vendor": "ASUS",
    "versions": [
      {
        "status": "affected",
        "version": "1.14.51"
      }
    ]
  },
  {
    "product": "BMC firmware for Z10PE-D16 WS",
    "vendor": "ASUS",
    "versions": [
      {
        "status": "affected",
        "version": "1.14.2"
      }
    ]
  }
]

Social References

More

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.2 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

75.3%

Related for CVE-2021-28204