CVE-2024-21860 - Vulnerability Details - OpenCVE

in OpenHarmony v4.0.0 and prior versions allow an adjacent attacker arbitrary code execution in any apps through use after free.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Openatom	Openharmony

Configuration 1 [-]

OR	cpe:2.3:o:openatom:openharmony:::::-:::*
	cpe:2.3:o:openatom:openharmony:4.0::::-:::

No data.

References

Link	Providers
https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2024/2024-02.md

History

Fri, 08 Nov 2024 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 09 Sep 2024 12:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openatom Openatom openharmony
CPEs	cpe:2.3:a:openharmony:openharmony:::::-:::* cpe:2.3:a:openharmony:openharmony:4.0::::-:::	cpe:2.3:o:openatom:openharmony:::::-:::* cpe:2.3:o:openatom:openharmony:4.0::::-:::
Vendors & Products	Openharmony Openharmony openharmony	Openatom Openatom openharmony

MITRE

Status: PUBLISHED

Assigner: OpenHarmony

Published: 2024-02-02T06:18:55.540Z

Updated: 2024-11-08T15:38:33.808Z

Reserved: 2024-01-06T11:01:00.629Z

Link: CVE-2024-21860

Vulnrichment

Updated: 2024-08-01T22:27:36.302Z

NVD

Status : Modified

Published: 2024-02-02T07:15:11.530

Modified: 2024-11-21T08:55:07.907

Link: CVE-2024-21860

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21860", "assignerOrgId": "0cf5dd6e-1214-4398-a481-30441e48fafd", "state": "PUBLISHED", "assignerShortName": "OpenHarmony", "dateReserved": "2024-01-06T11:01:00.629Z", "datePublished": "2024-02-02T06:18:55.540Z", "dateUpdated": "2024-11-08T15:38:33.808Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "OpenHarmony", "vendor": "OpenHarmony", "versions": [{"lessThanOrEqual": "v3.2.4", "status": "affected", "version": "v3.2.0", "versionType": "custom"}, {"lessThan": "v4.0.1", "status": "affected", "version": "v4.0.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nin OpenHarmony v4.0.0 and prior versions\n\nallow an adjacent attacker arbitrary code execution in any apps through use after free."}], "value": "\nin OpenHarmony v4.0.0 and prior versions\n\nallow an adjacent attacker arbitrary code execution in any apps through use after free."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cf5dd6e-1214-4398-a481-30441e48fafd", "shortName": "OpenHarmony", "dateUpdated": "2024-02-02T06:18:55.540Z"}, "references": [{"url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2024/2024-02.md"}], "source": {"discovery": "UNKNOWN"}, "title": "Dsoftbus has a use after free vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:36.302Z"}, "title": "CVE Program Container", "references": [{"url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2024/2024-02.md", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-02-05T21:03:38.565314Z", "id": "CVE-2024-21860", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-08T15:38:33.808Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2024/2024-02.md", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:36.302Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21860", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-02-05T21:03:38.565314Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-08T15:38:28.755Z"}}], "cna": {"title": "Dsoftbus has a use after free vulnerability", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "OpenHarmony", "product": "OpenHarmony", "versions": [{"status": "affected", "version": "v3.2.0", "versionType": "custom", "lessThanOrEqual": "v3.2.4"}, {"status": "affected", "version": "v4.0.0", "lessThan": "v4.0.1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2024/2024-02.md"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "\nin OpenHarmony v4.0.0 and prior versions\n\nallow an adjacent attacker arbitrary code execution in any apps through use after free.", "supportingMedia": [{"type": "text/html", "value": "\n\nin OpenHarmony v4.0.0 and prior versions\n\nallow an adjacent attacker arbitrary code execution in any apps through use after free.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "providerMetadata": {"orgId": "0cf5dd6e-1214-4398-a481-30441e48fafd", "shortName": "OpenHarmony", "dateUpdated": "2024-02-02T06:18:55.540Z"}}}, "cveMetadata": {"cveId": "CVE-2024-21860", "state": "PUBLISHED", "dateUpdated": "2024-11-08T15:38:33.808Z", "dateReserved": "2024-01-06T11:01:00.629Z", "assignerOrgId": "0cf5dd6e-1214-4398-a481-30441e48fafd", "datePublished": "2024-02-02T06:18:55.540Z", "assignerShortName": "OpenHarmony"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:openatom:openharmony:*:*:*:*:-:*:*:*", "matchCriteriaId": "9BB7FE14-3FB6-402C-9F39-EA560E4DC12C", "versionEndIncluding": "3.2.4", "versionStartIncluding": "3.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:openatom:openharmony:4.0:*:*:*:-:*:*:*", "matchCriteriaId": "1E7BF175-F661-43C6-951C-E6F5D62374B2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\nin OpenHarmony v4.0.0 and prior versions\n\nallow an adjacent attacker arbitrary code execution in any apps through use after free."}, {"lang": "es", "value": "Las versiones de OpenHarmony v4.0.0 y versiones anteriores permiten que un atacante adyacente ejecute c\u00f3digo arbitrario en cualquier aplicaci\u00f3n mediante un use after free."}], "id": "CVE-2024-21860", "lastModified": "2024-11-21T08:55:07.907", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 6.0, "source": "scy@openharmony.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-02T07:15:11.530", "references": [{"source": "scy@openharmony.io", "tags": ["Third Party Advisory"], "url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2024/2024-02.md"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2024/2024-02.md"}], "sourceIdentifier": "scy@openharmony.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "scy@openharmony.io", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}