CVE-2021-22338

Published: Jun 29, 2021Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

There is an XXE injection vulnerability in eCNS280 V100R005C00 and V100R005C10. A module does not perform the strict operation to the input XML message. Attacker can send specific message to exploit this vulnerability, leading to the module denial of service.

Affected (2)

Products: Huawei: Ecns280 Firmware

1 product

Ecns280 Firmware

Configuration A

2 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Huawei Ecns280 Firmware	Version v100r005c00
Huawei Ecns280 Firmware	Version v100r005c10

Running on/with	Platform Versions
Huawei Ecns280	All versions

Related CWEs

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (2)

https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210421-01-cgp-en

Source: psirt@huawei.com

Vendor Advisory

https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210421-01-cgp-en

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.