CVE-2021-29873 : IBM Flash System 900 could allow an authenticated attacker to obtain sensitive information and cause a denial of service

IBM Flash System 900 could allow an authenticated attacker to obtain sensitive information and cause a denial of service due to a restricted shell escape vulnerability. IBM X-Force ID: 206229.

Published 2021-10-21 17:15:08

Updated 2022-07-12 17:42:04

Source IBM Corporation

View at NVD, CVE.org

Vulnerability category: Denial of service

Exploit prediction scoring system (EPSS) score for CVE-2021-29873

Probability of exploitation activity in the next 30 days: 0.12%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 46 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2021-29873

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:N/A:P	8.0	4.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: None Availability Impact: Partial
8.8	HIGH	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	IBM Corporation
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.1	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H	2.8	5.2	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: High

References for CVE-2021-29873

https://www.ibm.com/support/pages/node/6497111

Security Bulletin: Vulnerability in sed affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem V9000 products
Patch;Vendor Advisory
https://www.ibm.com/support/pages/node/6507091

Security Bulletin: A vulnerability exists in the restricted shell of the IBM FlashSystem 900
Patch;Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/206229

IBM Flash System 900 privilege escalation CVE-2021-29873 Vulnerability Report
VDB Entry;Vendor Advisory

Products affected by CVE-2021-29873

IBM » Storwize V7000 Software
Versions from including (>=) 7.8.0.0 and before (<) 8.4.0.0
cpe:2.3:a:ibm:storwize_v7000_software:*:*:*:*:*:*:*:*
Matching versions
IBM » Storwize V3700 Software
Versions from including (>=) 7.8.0.0 and before (<) 8.4.0.0
cpe:2.3:a:ibm:storwize_v3700_software:*:*:*:*:*:*:*:*
Matching versions
IBM » Storwize V3500 Software
Versions from including (>=) 7.8.0.0 and before (<) 8.4.0.0
cpe:2.3:a:ibm:storwize_v3500_software:*:*:*:*:*:*:*:*
Matching versions
IBM » Storwize V5000 Software
Versions from including (>=) 7.8.0.0 and before (<) 8.4.0.0
cpe:2.3:a:ibm:storwize_v5000_software:*:*:*:*:*:*:*:*
Matching versions
IBM » San Volume Controller Firmware
Versions from including (>=) 7.8.0.0 and before (<) 8.4.0.0
cpe:2.3:o:ibm:san_volume_controller_firmware:*:*:*:*:*:*:*:*
Matching versions
IBM » Spectrum Virtualize
Versions from including (>=) 7.8.0.0 and before (<) 8.4.0.0
cpe:2.3:a:ibm:spectrum_virtualize:*:*:*:*:*:*:*:*
Matching versions
IBM » Spectrum Virtualize For Public Cloud
Versions from including (>=) 7.8.0.0 and before (<) 8.4.0.0
cpe:2.3:a:ibm:spectrum_virtualize_for_public_cloud:*:*:*:*:*:*:*:*
Matching versions
IBM » Flashsystem 9100 Firmware
Versions from including (>=) 7.8.0.0 and before (<) 8.4.0.0
cpe:2.3:o:ibm:flashsystem_9100_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: IBM » Flashsystem 9100 » Version: N/A
IBM » Flashsystem 9000 Firmware
Versions from including (>=) 7.8.0.0 and before (<) 8.4.0.0
cpe:2.3:o:ibm:flashsystem_9000_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: IBM » Flashsystem 9000 » Version: N/A
IBM » Storwize V5100 Software
Versions from including (>=) 7.8.0.0 and before (<) 8.4.0.0
cpe:2.3:a:ibm:storwize_v5100_software:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2021-29873

Exploit prediction scoring system (EPSS) score for CVE-2021-29873

CVSS scores for CVE-2021-29873

References for CVE-2021-29873

Products affected by CVE-2021-29873