CVE-2021-39392

The management tool in MyLittleBackup up to and including 1.7 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.mylittlebackup.com/mlb/zip/mlb_1.7.zip	Broken Link
https://gist.github.com/omriinbar/65827626e63f15e3e50557e2d9d61281	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mylittletools:mylittlebackup:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-09-15 17:15

Updated : 2021-10-07 17:55

NVD link : CVE-2021-39392

Mitre link : CVE-2021-39392

CVE.ORG link : CVE-2021-39392

JSON object : View

Products Affected

mylittletools

mylittlebackup

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2021-39392", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2021-09-15T17:15:10.410", "references": [{"url": "http://www.mylittlebackup.com/mlb/zip/mlb_1.7.zip", "tags": ["Broken Link"], "source": "cve@mitre.org"}, {"url": "https://gist.github.com/omriinbar/65827626e63f15e3e50557e2d9d61281", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "The management tool in MyLittleBackup up to and including 1.7 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code."}, {"lang": "es", "value": "La herramienta de administraci\u00f3n de MyLittleBackup versiones hasta 1.7 incluy\u00e9ndola, permite a atacantes remotos ejecutar c\u00f3digo arbitrario porque machineKey est\u00e1 embebida (la misma para todas las instalaciones de los clientes) en web.config, y puede usarse para enviar c\u00f3digo ASP serializado"}], "lastModified": "2021-10-07T17:55:32.367", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mylittletools:mylittlebackup:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F1E121CF-A6C4-476F-AC9F-065F6298FD0B", "versionEndIncluding": "1.7"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}