CVE-2021-22055 (GCVE-0-2021-22055)
Vulnerability from cvelistv5
Published
2022-04-11 19:37
Modified
2024-08-03 18:30
Severity ?
CWE
  • Heap-based buffer overflow issues via Cortado ThinPrint
Summary
The SchedulerServer in Vmware photon allows remote attackers to inject logs through \r in the package parameter. Attackers can also insert malicious data and fake entries.
References
Impacted products
Vendor Product Version
n/a Photon OS Version: Master build
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:30:23.941Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/vmware/photon/wiki/log_injection_vulnerability"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Photon OS",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Master build"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The SchedulerServer in Vmware photon allows remote attackers to inject logs through \\r in the package parameter. Attackers can also insert malicious data and fake entries."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Heap-based buffer overflow issues via Cortado ThinPrint",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-04-11T19:37:38",
        "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
        "shortName": "vmware"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vmware/photon/wiki/log_injection_vulnerability"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@vmware.com",
          "ID": "CVE-2021-22055",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Photon OS",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Master build"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The SchedulerServer in Vmware photon allows remote attackers to inject logs through \\r in the package parameter. Attackers can also insert malicious data and fake entries."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Heap-based buffer overflow issues via Cortado ThinPrint"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/vmware/photon/wiki/log_injection_vulnerability",
              "refsource": "MISC",
              "url": "https://github.com/vmware/photon/wiki/log_injection_vulnerability"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
    "assignerShortName": "vmware",
    "cveId": "CVE-2021-22055",
    "datePublished": "2022-04-11T19:37:38",
    "dateReserved": "2021-01-04T00:00:00",
    "dateUpdated": "2024-08-03T18:30:23.941Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-22055\",\"sourceIdentifier\":\"security@vmware.com\",\"published\":\"2022-04-11T20:15:15.610\",\"lastModified\":\"2024-11-21T05:49:30.663\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The SchedulerServer in Vmware photon allows remote attackers to inject logs through \\\\r in the package parameter. Attackers can also insert malicious data and fake entries.\"},{\"lang\":\"es\",\"value\":\"El SchedulerServer en Vmware photon permite a atacantes remotos inyectar registrosmedainte \\\\r en el par\u00e1metro del paquete. Los atacantes tambi\u00e9n pueden insertar datos maliciosos y entradas falsas\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:P/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-74\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:vmware:photon_os:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2022-02-16\",\"matchCriteriaId\":\"29BF0F80-CB8C-426F-8862-A9E6CC1B1475\"}]}]}],\"references\":[{\"url\":\"https://github.com/vmware/photon/wiki/log_injection_vulnerability\",\"source\":\"security@vmware.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/vmware/photon/wiki/log_injection_vulnerability\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.