CVE-2021-36348 : iDRAC9 versions prior to 5.00.20.00 contain an input injection vulnerability. A

iDRAC9 versions prior to 5.00.20.00 contain an input injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause information disclosure or denial of service by supplying specially crafted input data to iDRAC.

Published 2022-01-25 23:15:09

Updated 2022-01-31 21:34:03

Source Dell

View at NVD, CVE.org

Vulnerability category: Sql InjectionDenial of serviceInformation leak

Products affected by CVE-2021-36348

Dell » Integrated Dell Remote Access Controller 9 Firmware
Versions before (<) 5.00.20.00
cpe:2.3:o:dell:integrated_dell_remote_access_controller_9_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Dell » Integrated Dell Remote Access Controller 9 » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2021-36348

EPSS FAQ

0.24%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 44 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-36348

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:N/A:P	8.0	4.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: None Availability Impact: Partial
5.9	MEDIUM	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L	1.6	4.2	Dell
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: Low
8.1	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H	2.8	5.2	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: High

CWE ids for CVE-2021-36348

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Assigned by: nvd@nist.gov (Primary)
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Assigned by: security_alert@emc.com (Secondary)

References for CVE-2021-36348

https://www.dell.com/support/kbdoc/000194038

DSA-2021-259: Dell EMC iDRAC Security Update for Multiple Security Vulnerabilities | Dell Nederland
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2021-36348

Products affected by CVE-2021-36348

Exploit prediction scoring system (EPSS) score for CVE-2021-36348

CVSS scores for CVE-2021-36348

CWE ids for CVE-2021-36348

References for CVE-2021-36348