CVE-2021-31986 — Heap-based Buffer Overflow in OS

CWE-122 — Heap-based Buffer Overflow CWE-787 — Out-of-bounds Write4 documents4 sources

Severity

6.8MEDIUMNVD

EPSS

0.6%

top 30.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Axis OS Axis OS 2016 Axis OS 2018 +2 more

Timeline

PublishedOct 5

Latest updateMay 24

Description

User controlled parameters related to SMTP notifications are not correctly validated. This can lead to a buffer overflow resulting in crashes and data leakage.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:HExploitability: 1.6 | Impact: 5.2

Affected Packages5 packages

▶NVDaxis/axis_os< 10.7

▶NVDaxis/axis_os_2016< 6.50.5.5

▶NVDaxis/axis_os_2018< 8.40.4.3

▶NVDaxis/axis_os_2020< 9.80.3.5

▶CVEListV5axis_communications_ab/axis_osAXIS OS 6.40 or later

🔴Vulnerability Details

GHSA

GHSA-qx7f-84h6-wf98: User controlled parameters related to SMTP notifications are not correctly validated↗2022-05-24

▶

CVEList

CVE-2021-31986: User controlled parameters related to SMTP notifications are not correctly validated↗2021-10-05

▶

🔍Detection Rules

Suricata

ET INFO Suspicious POST to Axis OS (smtptest.cgi)↗2021-10-06

▶