First published: Tue Jul 13 2021(Updated: )
There is a path traversal vulnerability in some Huawei products. The vulnerability is due to that the software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly validate the pathname. Successful exploit could allow the attacker to access a location that is outside of the restricted directory by a crafted filename. Affected product versions include:HUAWEI Mate 20 9.0.0.195(C01E195R2P1), 9.1.0.139(C00E133R3P1);HUAWEI Mate 20 Pro 9.0.0.187(C432E10R1P16), 9.0.0.188(C185E10R2P1), 9.0.0.245(C10E10R2P1), 9.0.0.266(C432E10R1P16), 9.0.0.267(C636E10R2P1), 9.0.0.268(C635E12R1P16), 9.0.0.278(C185E10R2P1); Hima-L29C 9.0.0.105(C10E9R1P16), 9.0.0.105(C185E9R1P16), 9.0.0.105(C636E9R1P16); Laya-AL00EP 9.1.0.139(C786E133R3P1); OxfordS-AN00A 10.1.0.223(C00E210R5P1); Tony-AL00B 9.1.0.257(C00E222R2P1).
Credit: psirt@huawei.com
Affected Software | Affected Version | How to fix |
---|---|---|
Huawei Mate 20 Firmware | =9.0.0.195\(c01e195r2p1\) | |
Huawei Mate 20 Firmware | =9.1.0.139\(c00e133r3p1\) | |
HUAWEI Mate 20 | ||
Huawei Mate 20 Pro Firmware | =9.0.0.187\(c432e10r1p16\) | |
Huawei Mate 20 Pro Firmware | =9.0.0.188\(c185e10r2p1\) | |
Huawei Mate 20 Pro Firmware | =9.0.0.245\(c10e10r2p1\) | |
Huawei Mate 20 Pro Firmware | =9.0.0.266\(c432e10r1p16\) | |
Huawei Mate 20 Pro Firmware | =9.0.0.267\(c636e10r2p1\) | |
Huawei Mate 20 Pro Firmware | =9.0.0.268\(c635e12r1p16\) | |
Huawei Mate 20 Pro Firmware | =9.0.0.278\(c185e10r2p1\) | |
HUAWEI Mate 20 Pro | ||
Google Android | =9.0.0.105\(c10e9r1p16\) | |
Google Android | =9.0.0.105\(c185e9r1p16\) | |
Google Android | =9.0.0.105\(c636e9r1p16\) | |
Huawei Hima-l29c | ||
Huawei Laya-al00ep Firmware | =9.1.0.139\(c786e133r3p1\) | |
Huawei Laya-al00ep | ||
Huawei Oxfords-an00a Firmware | =10.1.0.223\(c00e210r5p1\) | |
Huawei Oxfords-an00a | ||
Huawei Tony-al00b Firmware | =9.1.0.257\(c00e222r2p1\) | |
Huawei Tony-al00b |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-22440 is a path traversal vulnerability found in some Huawei products.
CVE-2021-22440 occurs when the software uses external input to construct a pathname that is intended to identify a file or directory located underneath a restricted parent directory, but the software does not properly validate the input.
Some affected Huawei products include Huawei Mate 20 Firmware (version 9.0.0.195(c01e195r2p1) and 9.1.0.139(c00e133r3p1)), Huawei Mate 20 Pro Firmware (versions 9.0.0.187(c432e10r1p16), 9.0.0.188(c185e10r2p1), 9.0.0.245(c10e10r2p1), 9.0.0.266(c432e10r1p16), 9.0.0.267(c636e10r2p1), 9.0.0.268(c635e12r1p16), and 9.0.0.278(c185e10r2p1)), Huawei Hima-l29c (versions 9.0.0.105(c10e9r1p16), 9.0.0.105(c185e9r1p16), and 9.0.0.105(c636e9r1p16)), Huawei Laya-al00ep (version 9.1.0.139(c786e133r3p1)), Huawei Oxfords-an00a (version 10.1.0.223(c00e210r5p1)), and Huawei Tony-al00b (version 9.1.0.257(c00e222r2p1)).
CVE-2021-22440 has a severity keyword of 'medium' and a severity value of 4.6.
To fix CVE-2021-22440, it is recommended to apply the necessary security updates provided by Huawei.