FKIE_CVE-2021-37130

Vulnerability from fkie_nvd - Published: 2021-10-27 01:15 - Updated: 2026-06-17 04:00
Summary
There is a path traversal vulnerability in Huawei FusionCube 6.0.2.The vulnerability is due to that the software uses external input to construct a pathname that is intended to identify a directory that is located underneath a restricted parent directory, but the software does not properly validate the pathname. Successful exploit could allow the attacker to access a location that is outside of the restricted directory by a crafted filename.
Impacted products
Vendor Product Version
huawei fusioncube_firmware 6.0.2
huawei fusioncube -

{
  "affected": [
    {
      "affectedData": [
        {
          "product": "FusionCube",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "6.0.2"
            }
          ]
        }
      ],
      "source": "psirt@huawei.com"
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:huawei:fusioncube_firmware:6.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "A7AD0E47-B3D2-4709-8E4E-80953C367024",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:huawei:fusioncube:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "24308A28-1E42-4C3F-9DC0-D5EC98BF2867",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "There is a path traversal vulnerability in Huawei FusionCube 6.0.2.The vulnerability is due to that the software uses external input to construct a pathname that is intended to identify a directory that is located underneath a restricted parent directory, but the software does not properly validate the pathname. Successful exploit could allow the attacker to access a location that is outside of the restricted directory by a crafted filename."
    },
    {
      "lang": "es",
      "value": "Se presenta una vulnerabilidad de salto de ruta en FusionCube versi\u00f3n 6.0.2 de Huawei. La vulnerabilidad es debido a que el software usa una entrada externa para construir un nombre de ruta que pretende identificar un directorio que se encuentra debajo de un directorio principal restringido, pero el software no comprueba apropiadamente el nombre de ruta. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante acceder a una ubicaci\u00f3n que est\u00e1 fuera del directorio restringido mediante un nombre de archivo dise\u00f1ado"
    }
  ],
  "id": "CVE-2021-37130",
  "lastModified": "2026-06-17T04:00:06.607",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-10-27T01:15:07.810",
  "references": [
    {
      "source": "psirt@huawei.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20211020-01-pathtraversal-en"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20211020-01-pathtraversal-en"
    }
  ],
  "sourceIdentifier": "psirt@huawei.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…