CVE-2021-38120 : A vulnerability identified in Advance Authentication that allows bash command In

A vulnerability identified in Advance Authentication that allows bash command Injection in administrative controlled functionality of backup due to improper handling in provided command parameters. This issue affects NetIQ Advance Authentication version before 6.3.5.1.

Published 2024-08-28 06:28:56

Updated 2024-09-13 18:04:29

Source OpenText

View at NVD, CVE.org

Products affected by CVE-2021-38120

Microfocus » Netiq Advanced Authentication
Versions before (<) 6.3.5.1
cpe:2.3:a:microfocus:netiq_advanced_authentication:*:*:*:*:*:*:*:*
Matching versions
Microfocus » Netiq Advanced Authentication
Versions before (<) 6.3
cpe:2.3:a:microfocus:netiq_advanced_authentication:*:*:*:*:*:*:*:*
Matching versions
Microfocus » Netiq Advanced Authentication » Version: 6.3
cpe:2.3:a:microfocus:netiq_advanced_authentication:6.3:-:*:*:*:*:*:*
Matching versions
Microfocus » Netiq Advanced Authentication » Version: 6.3 Update SP1
cpe:2.3:a:microfocus:netiq_advanced_authentication:6.3:sp1:*:*:*:*:*:*
Matching versions
Microfocus » Netiq Advanced Authentication » Version: 6.3 Update SP2
cpe:2.3:a:microfocus:netiq_advanced_authentication:6.3:sp2:*:*:*:*:*:*
Matching versions
Microfocus » Netiq Advanced Authentication » Version: 6.3 Update SP3
cpe:2.3:a:microfocus:netiq_advanced_authentication:6.3:sp3:*:*:*:*:*:*
Matching versions
Microfocus » Netiq Advanced Authentication » Version: 6.3 Update SP4
cpe:2.3:a:microfocus:netiq_advanced_authentication:6.3:sp4:*:*:*:*:*:*
Matching versions
Microfocus » Netiq Advanced Authentication » Version: 6.3 Update Sp4 Patch1
cpe:2.3:a:microfocus:netiq_advanced_authentication:6.3:sp4_patch1:*:*:*:*:*:*
Matching versions
Microfocus » Netiq Advanced Authentication » Version: 6.3 Update SP5
cpe:2.3:a:microfocus:netiq_advanced_authentication:6.3:sp5:*:*:*:*:*:*
Matching versions
Opentext » Netiq Advanced Authentication
Versions before (<) 6.3.5.1
cpe:2.3:a:opentext:netiq_advanced_authentication:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-38120

EPSS FAQ

0.15%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 37 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-38120

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.1	MEDIUM	CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:L	N/A	N/A	OpenText	2024-08-28
Attack Vector: Local Attack Complexity: High Privileges Required: High User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: High Availability: Low
7.2	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	1.2	5.9	NIST	2024-09-12
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
5.1	MEDIUM	CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:L	0.3	4.7	OpenText	2024-08-28
Attack Vector: Local Attack Complexity: High Privileges Required: High User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: High Availability: Low

CWE ids for CVE-2021-38120

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Assigned by:
- f81092c5-7f14-476d-80dc-24857f90be84 (Primary)
- nvd@nist.gov (Primary)
- security@opentext.com (Secondary)

References for CVE-2021-38120

https://www.netiq.com/documentation/advanced-authentication-63/advanced-authentication-releasenotes-6351/data/advanced-authentication-releasenotes-6351.html

Advanced Authentication 6.3 Service Pack 5 Patch 1 Release Notes
Release Notes

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2021-38120

Products affected by CVE-2021-38120

Exploit prediction scoring system (EPSS) score for CVE-2021-38120

CVSS scores for CVE-2021-38120

CWE ids for CVE-2021-38120

References for CVE-2021-38120