CVE-2021-3840 (GCVE-0-2021-3840)

Vulnerability from cvelistv5 – Published: 2021-11-12 22:05 – Updated: 2024-08-03 17:09
VLAI?
Summary
A dependency confusion vulnerability was reported in the Antilles open-source software prior to version 1.0.1 that could allow for remote code execution during installation due to a package listed in requirements.txt not existing in the public package index (PyPi). MITRE classifies this weakness as an Uncontrolled Search Path Element (CWE-427) in which a private package dependency may be replaced by an unauthorized package of the same name published to a well-known public repository such as PyPi. The configuration has been updated to only install components built by Antilles, removing all other public package indexes. Additionally, the antilles-tools dependency has been published to PyPi.
Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
  • CWE-427 - Uncontrolled Search Path Element
Assigner
References
Impacted products
Vendor Product Version
Antilles Antilles Affected: unspecified , < 1.0.1 (custom)
Create a notification for this product.
Credits
The Antilles team thanks Kotko Vladyslav for reporting this issue.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:09:09.548Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/lenovo/Antilles/security/advisories/GHSA-hgc3-hp6x-wpgx"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Antilles",
          "vendor": "Antilles",
          "versions": [
            {
              "lessThan": "1.0.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The Antilles team thanks Kotko Vladyslav for reporting this issue."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A dependency confusion vulnerability was reported in the Antilles open-source software prior to version 1.0.1 that could allow for remote code execution during installation due to a package listed in requirements.txt not existing in the public package index (PyPi). MITRE classifies this weakness as an Uncontrolled Search Path Element (CWE-427) in which a private package dependency may be replaced by an unauthorized package of the same name published to a well-known public repository such as PyPi. The configuration has been updated to only install components built by Antilles, removing all other public package indexes. Additionally, the antilles-tools dependency has been published to PyPi."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-427",
              "description": "CWE-427 Uncontrolled Search Path Element",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-11-12T22:05:54",
        "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "shortName": "lenovo"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/lenovo/Antilles/security/advisories/GHSA-hgc3-hp6x-wpgx"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Remove previous versions of Antilles as a precautionary measure and Update to version 1.0.1 or later."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@lenovo.com",
          "ID": "CVE-2021-3840",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Antilles",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "1.0.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Antilles"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "The Antilles team thanks Kotko Vladyslav for reporting this issue."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A dependency confusion vulnerability was reported in the Antilles open-source software prior to version 1.0.1 that could allow for remote code execution during installation due to a package listed in requirements.txt not existing in the public package index (PyPi). MITRE classifies this weakness as an Uncontrolled Search Path Element (CWE-427) in which a private package dependency may be replaced by an unauthorized package of the same name published to a well-known public repository such as PyPi. The configuration has been updated to only install components built by Antilles, removing all other public package indexes. Additionally, the antilles-tools dependency has been published to PyPi."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-427 Uncontrolled Search Path Element"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/lenovo/Antilles/security/advisories/GHSA-hgc3-hp6x-wpgx",
              "refsource": "MISC",
              "url": "https://github.com/lenovo/Antilles/security/advisories/GHSA-hgc3-hp6x-wpgx"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Remove previous versions of Antilles as a precautionary measure and Update to version 1.0.1 or later."
          }
        ],
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
    "assignerShortName": "lenovo",
    "cveId": "CVE-2021-3840",
    "datePublished": "2021-11-12T22:05:54",
    "dateReserved": "2021-09-29T00:00:00",
    "dateUpdated": "2024-08-03T17:09:09.548Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lenovo:antilles:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.0.1\", \"matchCriteriaId\": \"19651DE8-7990-4686-913B-2F72902A3DAA\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A dependency confusion vulnerability was reported in the Antilles open-source software prior to version 1.0.1 that could allow for remote code execution during installation due to a package listed in requirements.txt not existing in the public package index (PyPi). MITRE classifies this weakness as an Uncontrolled Search Path Element (CWE-427) in which a private package dependency may be replaced by an unauthorized package of the same name published to a well-known public repository such as PyPi. The configuration has been updated to only install components built by Antilles, removing all other public package indexes. Additionally, the antilles-tools dependency has been published to PyPi.\"}, {\"lang\": \"es\", \"value\": \"Se ha informado de una vulnerabilidad de confusi\\u00f3n de dependencias en el software de c\\u00f3digo abierto Antilles versiones anteriores a 1.0.1, que podr\\u00eda permitir una ejecuci\\u00f3n de c\\u00f3digo remota durante la instalaci\\u00f3n debido a que un paquete enumerado en el archivo requirements.txt no se presenta en el \\u00edndice de paquetes p\\u00fablicos (PyPi). MITRE clasifica esta debilidad como un elemento de ruta de b\\u00fasqueda no controlada (CWE-427) en el que una dependencia de un paquete privado puede ser sustituida por un paquete no autorizado del mismo nombre publicado en un repositorio p\\u00fablico conocido como PyPi. La configuraci\\u00f3n ha sido actualizada para instalar \\u00fanicamente componentes construidos por Antilles, eliminando todos los dem\\u00e1s \\u00edndices de paquetes p\\u00fablicos. Adem\\u00e1s, la dependencia de antilles-tools ha sido publicada en PyPi\"}]",
      "id": "CVE-2021-3840",
      "lastModified": "2024-11-21T06:22:36.553",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"psirt@lenovo.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 6.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2021-11-12T22:15:08.527",
      "references": "[{\"url\": \"https://github.com/lenovo/Antilles/security/advisories/GHSA-hgc3-hp6x-wpgx\", \"source\": \"psirt@lenovo.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/lenovo/Antilles/security/advisories/GHSA-hgc3-hp6x-wpgx\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "psirt@lenovo.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"psirt@lenovo.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-427\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-427\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-3840\",\"sourceIdentifier\":\"psirt@lenovo.com\",\"published\":\"2021-11-12T22:15:08.527\",\"lastModified\":\"2024-11-21T06:22:36.553\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A dependency confusion vulnerability was reported in the Antilles open-source software prior to version 1.0.1 that could allow for remote code execution during installation due to a package listed in requirements.txt not existing in the public package index (PyPi). MITRE classifies this weakness as an Uncontrolled Search Path Element (CWE-427) in which a private package dependency may be replaced by an unauthorized package of the same name published to a well-known public repository such as PyPi. The configuration has been updated to only install components built by Antilles, removing all other public package indexes. Additionally, the antilles-tools dependency has been published to PyPi.\"},{\"lang\":\"es\",\"value\":\"Se ha informado de una vulnerabilidad de confusi\u00f3n de dependencias en el software de c\u00f3digo abierto Antilles versiones anteriores a 1.0.1, que podr\u00eda permitir una ejecuci\u00f3n de c\u00f3digo remota durante la instalaci\u00f3n debido a que un paquete enumerado en el archivo requirements.txt no se presenta en el \u00edndice de paquetes p\u00fablicos (PyPi). MITRE clasifica esta debilidad como un elemento de ruta de b\u00fasqueda no controlada (CWE-427) en el que una dependencia de un paquete privado puede ser sustituida por un paquete no autorizado del mismo nombre publicado en un repositorio p\u00fablico conocido como PyPi. La configuraci\u00f3n ha sido actualizada para instalar \u00fanicamente componentes construidos por Antilles, eliminando todos los dem\u00e1s \u00edndices de paquetes p\u00fablicos. Adem\u00e1s, la dependencia de antilles-tools ha sido publicada en PyPi\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@lenovo.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"psirt@lenovo.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-427\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-427\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lenovo:antilles:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.0.1\",\"matchCriteriaId\":\"19651DE8-7990-4686-913B-2F72902A3DAA\"}]}]}],\"references\":[{\"url\":\"https://github.com/lenovo/Antilles/security/advisories/GHSA-hgc3-hp6x-wpgx\",\"source\":\"psirt@lenovo.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/lenovo/Antilles/security/advisories/GHSA-hgc3-hp6x-wpgx\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.