From 03ffaa67799bef96d7a448b884ade935083da725 Mon Sep 17 00:00:00 2001 From: DellEMCProductSecurity Date: Fri, 1 Oct 2021 15:24:58 -0400 Subject: [PATCH] Added 2 CVEs --- 2021/36xxx/CVE-2021-36298.json | 71 +++++++++++++++++++++++++++++----- 2021/36xxx/CVE-2021-36309.json | 71 +++++++++++++++++++++++++++++----- 2 files changed, 124 insertions(+), 18 deletions(-) diff --git a/2021/36xxx/CVE-2021-36298.json b/2021/36xxx/CVE-2021-36298.json index 725614368db..d2dd96ee179 100644 --- a/2021/36xxx/CVE-2021-36298.json +++ b/2021/36xxx/CVE-2021-36298.json @@ -1,17 +1,70 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2021-36298", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, + "ASSIGNER": "secure@dell.com", + "DATE_PUBLIC": "2021-09-17", + "ID": "CVE-2021-36298", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Isilon InsightIQ", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "4.1.4" + } + ] + } + } + ] + }, + "vendor_name": "Dell" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "lang": "eng", + "value": "Dell EMC InsightIQ, versions prior to 4.1.4, contain risky cryptographic algorithms in the SSH component. A remote unauthenticated attacker could potentially exploit this vulnerability leading to authentication bypass and remote takeover of the InsightIQ. This allows an attacker to take complete control of InsightIQ to affect services provided by SSH; so Dell recommends customers to upgrade at the earliest opportunity." + } + ] + }, + "impact": { + "cvss": { + "baseScore": 8.1, + "baseSeverity": "High", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "url": "https://www.dell.com/support/kbdoc/000191604" } ] } diff --git a/2021/36xxx/CVE-2021-36309.json b/2021/36xxx/CVE-2021-36309.json index 3c930729476..14b8c5e3c08 100644 --- a/2021/36xxx/CVE-2021-36309.json +++ b/2021/36xxx/CVE-2021-36309.json @@ -1,17 +1,70 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { - "ID": "CVE-2021-36309", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, + "ASSIGNER": "secure@dell.com", + "DATE_PUBLIC": "2021-09-17", + "ID": "CVE-2021-36309", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Enterprise SONiC OS", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "3.4.0" + } + ] + } + } + ] + }, + "vendor_name": "Dell" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "lang": "eng", + "value": "Dell Enterprise SONiC OS, versions 3.3.0 and earlier, contains a sensitive information disclosure vulnerability. An authenticated malicious user with access to the system may use the TACACS\\Radius credentials stored to read sensitive information and use it in further attacks." + } + ] + }, + "impact": { + "cvss": { + "baseScore": 7.1, + "baseSeverity": "High", + "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-256: Unprotected Storage of Credentials" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "url": "https://www.dell.com/support/kbdoc/en-us/000191690/DSA-2021-190-Dell-Enterprise-SONiC-OS-Security-Update-for-an-information-disclosure-Vulnerability" } ] }