CVE-2021-29281 - Vulnerability Details - OpenCVE

File upload vulnerability in GFI Mail Archiver versions up to and including 15.1 via insecure implementation of Telerik Web UI plugin which is affected by CVE-2014-2217, and CVE-2017-11317.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Gfi	Archiver

Configuration 1 [-]

cpe:2.3:a:gfi:archiver:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://aminbohio.com/gfi-mail-archiver-15-1-telerik-ui-component-arbitrary-file-upload-unauthenticated-exploit/
https://cwe.mitre.org/data/definitions/434.html
https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
https://www.exploit-db.com/exploits/50181
https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-archiver

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-07-07T19:38:54

Updated: 2024-08-03T22:02:51.701Z

Reserved: 2021-03-29T00:00:00

Link: CVE-2021-29281

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-07-07T21:15:09.797

Modified: 2024-11-21T06:00:55.820

Link: CVE-2021-29281

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "File upload vulnerability in GFI Mail Archiver versions up to and including 15.1 via insecure implementation of Telerik Web UI plugin which is affected by CVE-2014-2217, and CVE-2017-11317."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-07-07T19:51:03", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://cwe.mitre.org/data/definitions/434.html"}, {"tags": ["x_refsource_MISC"], "url": "https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload"}, {"tags": ["x_refsource_MISC"], "url": "https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-archiver"}, {"tags": ["x_refsource_MISC"], "url": "https://aminbohio.com/gfi-mail-archiver-15-1-telerik-ui-component-arbitrary-file-upload-unauthenticated-exploit/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.exploit-db.com/exploits/50181"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-29281", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "File upload vulnerability in GFI Mail Archiver versions up to and including 15.1 via insecure implementation of Telerik Web UI plugin which is affected by CVE-2014-2217, and CVE-2017-11317."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://cwe.mitre.org/data/definitions/434.html", "refsource": "MISC", "url": "https://cwe.mitre.org/data/definitions/434.html"}, {"name": "https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload", "refsource": "MISC", "url": "https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload"}, {"name": "https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-archiver", "refsource": "MISC", "url": "https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-archiver"}, {"name": "https://aminbohio.com/gfi-mail-archiver-15-1-telerik-ui-component-arbitrary-file-upload-unauthenticated-exploit/", "refsource": "MISC", "url": "https://aminbohio.com/gfi-mail-archiver-15-1-telerik-ui-component-arbitrary-file-upload-unauthenticated-exploit/"}, {"name": "https://www.exploit-db.com/exploits/50181", "refsource": "MISC", "url": "https://www.exploit-db.com/exploits/50181"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T22:02:51.701Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://cwe.mitre.org/data/definitions/434.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-archiver"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://aminbohio.com/gfi-mail-archiver-15-1-telerik-ui-component-arbitrary-file-upload-unauthenticated-exploit/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.exploit-db.com/exploits/50181"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-29281", "datePublished": "2022-07-07T19:38:54", "dateReserved": "2021-03-29T00:00:00", "dateUpdated": "2024-08-03T22:02:51.701Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gfi:archiver:*:*:*:*:*:*:*:*", "matchCriteriaId": "31909790-5A84-4F63-A326-0D16CB3A524A", "versionEndExcluding": "15.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "File upload vulnerability in GFI Mail Archiver versions up to and including 15.1 via insecure implementation of Telerik Web UI plugin which is affected by CVE-2014-2217, and CVE-2017-11317."}, {"lang": "es", "value": "Una vulnerabilidad en la carga de archivos en GFI Mail Archiver versiones hasta 15.1 incluy\u00e9ndola, por medio de una implementaci\u00f3n no segura del plugin Telerik Web UI, que est\u00e1 afectado por CVE-2014-2217, y CVE-2017-11317"}], "id": "CVE-2021-29281", "lastModified": "2024-11-21T06:00:55.820", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-07T21:15:09.797", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://aminbohio.com/gfi-mail-archiver-15-1-telerik-ui-component-arbitrary-file-upload-unauthenticated-exploit/"}, {"source": "cve@mitre.org", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://cwe.mitre.org/data/definitions/434.html"}, {"source": "cve@mitre.org", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/50181"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-archiver"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://aminbohio.com/gfi-mail-archiver-15-1-telerik-ui-component-arbitrary-file-upload-unauthenticated-exploit/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://cwe.mitre.org/data/definitions/434.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/50181"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-archiver"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}