SB2021011803 - Multiple vulnerabilities in Huawei ManageOne

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2021-22298)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a logic issue in Huawei Gauss100 OLTP Product. A remote authenticated attacker can perform specific SQL statement and cause service abnormal.

2) CSV Injection (CVE-ID: CVE-2020-9205)

The vulnerability allows a remote user to inject arbitrary code into CSV files.

The vulnerability exists due to improper input validation. A remote administrator can inject arbitrary code into a CSV file.

3) Incorrect Privilege Assignment (CVE-ID: CVE-2021-22311)

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to incorrect privilege assignment. A remote administrator can perform certain operations on the target system.

Remediation

Install update from vendor's website.

References

• https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210113-01-gauss-en
• https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210127-01-csvinjection-en
• https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210203-01-manageone-en