Search criteria
3 vulnerabilities found for antilles by lenovo
VAR-202111-0617
Vulnerability from variot - Updated: 2024-11-23 22:47A dependency confusion vulnerability was reported in the Antilles open-source software prior to version 1.0.1 that could allow for remote code execution during installation due to a package listed in requirements.txt not existing in the public package index (PyPi). MITRE classifies this weakness as an Uncontrolled Search Path Element (CWE-427) in which a private package dependency may be replaced by an unauthorized package of the same name published to a well-known public repository such as PyPi. The configuration has been updated to only install components built by Antilles, removing all other public package indexes. Additionally, the antilles-tools dependency has been published to PyPi. Antilles An uncontrolled search path element vulnerability exists in open source software.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202111-0617",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "antilles",
"scope": "lt",
"trust": 1.0,
"vendor": "lenovo",
"version": "1.0.1"
},
{
"model": "antilles",
"scope": "eq",
"trust": 0.8,
"vendor": "lenovo",
"version": "1.0.1"
},
{
"model": "antilles",
"scope": "eq",
"trust": 0.8,
"vendor": "lenovo",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-015128"
},
{
"db": "NVD",
"id": "CVE-2021-3840"
}
]
},
"cve": "CVE-2021-3840",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CVE-2021-3840",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-400035",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"id": "CVE-2021-3840",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 2.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2021-015128",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-3840",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "psirt@lenovo.com",
"id": "CVE-2021-3840",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2021-3840",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-202111-1181",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-400035",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-400035"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-015128"
},
{
"db": "CNNVD",
"id": "CNNVD-202111-1181"
},
{
"db": "NVD",
"id": "CVE-2021-3840"
},
{
"db": "NVD",
"id": "CVE-2021-3840"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A dependency confusion vulnerability was reported in the Antilles open-source software prior to version 1.0.1 that could allow for remote code execution during installation due to a package listed in requirements.txt not existing in the public package index (PyPi). MITRE classifies this weakness as an Uncontrolled Search Path Element (CWE-427) in which a private package dependency may be replaced by an unauthorized package of the same name published to a well-known public repository such as PyPi. The configuration has been updated to only install components built by Antilles, removing all other public package indexes. Additionally, the antilles-tools dependency has been published to PyPi. Antilles An uncontrolled search path element vulnerability exists in open source software.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-3840"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-015128"
},
{
"db": "VULHUB",
"id": "VHN-400035"
}
],
"trust": 1.71
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-3840",
"trust": 3.3
},
{
"db": "JVNDB",
"id": "JVNDB-2021-015128",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202111-1181",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-400035",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-400035"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-015128"
},
{
"db": "CNNVD",
"id": "CNNVD-202111-1181"
},
{
"db": "NVD",
"id": "CVE-2021-3840"
}
]
},
"id": "VAR-202111-0617",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-400035"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T22:47:37.449000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Antilles\u00a0Dependency\u00a0Confusion\u00a0Vulnerability",
"trust": 0.8,
"url": "https://github.com/lenovo/Antilles/security/advisories/GHSA-hgc3-hp6x-wpgx"
},
{
"title": "Antilles Fixes for code issue vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=170338"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-015128"
},
{
"db": "CNNVD",
"id": "CNNVD-202111-1181"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-427",
"trust": 1.1
},
{
"problemtype": "Uncontrolled search path elements (CWE-427) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-400035"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-015128"
},
{
"db": "NVD",
"id": "CVE-2021-3840"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "https://github.com/lenovo/antilles/security/advisories/ghsa-hgc3-hp6x-wpgx"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3840"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-400035"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-015128"
},
{
"db": "CNNVD",
"id": "CNNVD-202111-1181"
},
{
"db": "NVD",
"id": "CVE-2021-3840"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-400035"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-015128"
},
{
"db": "CNNVD",
"id": "CNNVD-202111-1181"
},
{
"db": "NVD",
"id": "CVE-2021-3840"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-11-12T00:00:00",
"db": "VULHUB",
"id": "VHN-400035"
},
{
"date": "2022-11-10T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-015128"
},
{
"date": "2021-11-12T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202111-1181"
},
{
"date": "2021-11-12T22:15:08.527000",
"db": "NVD",
"id": "CVE-2021-3840"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-11-17T00:00:00",
"db": "VULHUB",
"id": "VHN-400035"
},
{
"date": "2022-11-10T02:28:00",
"db": "JVNDB",
"id": "JVNDB-2021-015128"
},
{
"date": "2021-11-23T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202111-1181"
},
{
"date": "2024-11-21T06:22:36.553000",
"db": "NVD",
"id": "CVE-2021-3840"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202111-1181"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Antilles\u00a0 Uncontrolled Search Path Element Vulnerability in Open Source Software",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-015128"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "code problem",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202111-1181"
}
],
"trust": 0.6
}
}
CVE-2021-3840 (GCVE-0-2021-3840)
Vulnerability from nvd – Published: 2021-11-12 22:05 – Updated: 2024-08-03 17:09
VLAI?
Summary
A dependency confusion vulnerability was reported in the Antilles open-source software prior to version 1.0.1 that could allow for remote code execution during installation due to a package listed in requirements.txt not existing in the public package index (PyPi). MITRE classifies this weakness as an Uncontrolled Search Path Element (CWE-427) in which a private package dependency may be replaced by an unauthorized package of the same name published to a well-known public repository such as PyPi. The configuration has been updated to only install components built by Antilles, removing all other public package indexes. Additionally, the antilles-tools dependency has been published to PyPi.
Severity ?
8.8 (High)
CWE
- CWE-427 - Uncontrolled Search Path Element
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Credits
The Antilles team thanks Kotko Vladyslav for reporting this issue.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:09.548Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/lenovo/Antilles/security/advisories/GHSA-hgc3-hp6x-wpgx"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Antilles",
"vendor": "Antilles",
"versions": [
{
"lessThan": "1.0.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "The Antilles team thanks Kotko Vladyslav for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "A dependency confusion vulnerability was reported in the Antilles open-source software prior to version 1.0.1 that could allow for remote code execution during installation due to a package listed in requirements.txt not existing in the public package index (PyPi). MITRE classifies this weakness as an Uncontrolled Search Path Element (CWE-427) in which a private package dependency may be replaced by an unauthorized package of the same name published to a well-known public repository such as PyPi. The configuration has been updated to only install components built by Antilles, removing all other public package indexes. Additionally, the antilles-tools dependency has been published to PyPi."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427 Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-12T22:05:54",
"orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
"shortName": "lenovo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lenovo/Antilles/security/advisories/GHSA-hgc3-hp6x-wpgx"
}
],
"solutions": [
{
"lang": "en",
"value": "Remove previous versions of Antilles as a precautionary measure and Update to version 1.0.1 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@lenovo.com",
"ID": "CVE-2021-3840",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Antilles",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.0.1"
}
]
}
}
]
},
"vendor_name": "Antilles"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "The Antilles team thanks Kotko Vladyslav for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A dependency confusion vulnerability was reported in the Antilles open-source software prior to version 1.0.1 that could allow for remote code execution during installation due to a package listed in requirements.txt not existing in the public package index (PyPi). MITRE classifies this weakness as an Uncontrolled Search Path Element (CWE-427) in which a private package dependency may be replaced by an unauthorized package of the same name published to a well-known public repository such as PyPi. The configuration has been updated to only install components built by Antilles, removing all other public package indexes. Additionally, the antilles-tools dependency has been published to PyPi."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-427 Uncontrolled Search Path Element"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/lenovo/Antilles/security/advisories/GHSA-hgc3-hp6x-wpgx",
"refsource": "MISC",
"url": "https://github.com/lenovo/Antilles/security/advisories/GHSA-hgc3-hp6x-wpgx"
}
]
},
"solution": [
{
"lang": "en",
"value": "Remove previous versions of Antilles as a precautionary measure and Update to version 1.0.1 or later."
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
"assignerShortName": "lenovo",
"cveId": "CVE-2021-3840",
"datePublished": "2021-11-12T22:05:54",
"dateReserved": "2021-09-29T00:00:00",
"dateUpdated": "2024-08-03T17:09:09.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3840 (GCVE-0-2021-3840)
Vulnerability from cvelistv5 – Published: 2021-11-12 22:05 – Updated: 2024-08-03 17:09
VLAI?
Summary
A dependency confusion vulnerability was reported in the Antilles open-source software prior to version 1.0.1 that could allow for remote code execution during installation due to a package listed in requirements.txt not existing in the public package index (PyPi). MITRE classifies this weakness as an Uncontrolled Search Path Element (CWE-427) in which a private package dependency may be replaced by an unauthorized package of the same name published to a well-known public repository such as PyPi. The configuration has been updated to only install components built by Antilles, removing all other public package indexes. Additionally, the antilles-tools dependency has been published to PyPi.
Severity ?
8.8 (High)
CWE
- CWE-427 - Uncontrolled Search Path Element
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Credits
The Antilles team thanks Kotko Vladyslav for reporting this issue.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:09.548Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/lenovo/Antilles/security/advisories/GHSA-hgc3-hp6x-wpgx"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Antilles",
"vendor": "Antilles",
"versions": [
{
"lessThan": "1.0.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "The Antilles team thanks Kotko Vladyslav for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "A dependency confusion vulnerability was reported in the Antilles open-source software prior to version 1.0.1 that could allow for remote code execution during installation due to a package listed in requirements.txt not existing in the public package index (PyPi). MITRE classifies this weakness as an Uncontrolled Search Path Element (CWE-427) in which a private package dependency may be replaced by an unauthorized package of the same name published to a well-known public repository such as PyPi. The configuration has been updated to only install components built by Antilles, removing all other public package indexes. Additionally, the antilles-tools dependency has been published to PyPi."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427 Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-12T22:05:54",
"orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
"shortName": "lenovo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lenovo/Antilles/security/advisories/GHSA-hgc3-hp6x-wpgx"
}
],
"solutions": [
{
"lang": "en",
"value": "Remove previous versions of Antilles as a precautionary measure and Update to version 1.0.1 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@lenovo.com",
"ID": "CVE-2021-3840",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Antilles",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.0.1"
}
]
}
}
]
},
"vendor_name": "Antilles"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "The Antilles team thanks Kotko Vladyslav for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A dependency confusion vulnerability was reported in the Antilles open-source software prior to version 1.0.1 that could allow for remote code execution during installation due to a package listed in requirements.txt not existing in the public package index (PyPi). MITRE classifies this weakness as an Uncontrolled Search Path Element (CWE-427) in which a private package dependency may be replaced by an unauthorized package of the same name published to a well-known public repository such as PyPi. The configuration has been updated to only install components built by Antilles, removing all other public package indexes. Additionally, the antilles-tools dependency has been published to PyPi."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-427 Uncontrolled Search Path Element"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/lenovo/Antilles/security/advisories/GHSA-hgc3-hp6x-wpgx",
"refsource": "MISC",
"url": "https://github.com/lenovo/Antilles/security/advisories/GHSA-hgc3-hp6x-wpgx"
}
]
},
"solution": [
{
"lang": "en",
"value": "Remove previous versions of Antilles as a precautionary measure and Update to version 1.0.1 or later."
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
"assignerShortName": "lenovo",
"cveId": "CVE-2021-3840",
"datePublished": "2021-11-12T22:05:54",
"dateReserved": "2021-09-29T00:00:00",
"dateUpdated": "2024-08-03T17:09:09.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}