CVE-2021-31988

CWE-1286 CWE-74 CWE-20 — Improper Input Validation3 documents3 sources

Severity

8.8HIGH

EPSS

0.6%

top 30.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Axis Axis OS Axis Axis OS 2016 Axis Axis OS 2018 +2 more

Timeline

PublishedOct 5

Latest updateMay 24

Description

A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to add the Carriage Return and Line Feed (CRLF) control characters and include arbitrary SMTP headers in the generated test email.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

▶NVDaxis/axis_os< 10.7

▶NVDaxis/axis_os_2016< 6.50.5.5

▶NVDaxis/axis_os_2018< 8.40.4.3

▶NVDaxis/axis_os_2020< 9.80.3.5

▶CVEListV5axis_communications_ab/axis_osAXIS OS 5.51 or later

🔴Vulnerability Details

GHSA

GHSA-9whv-vchq-g94v: A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to add the Carriage Return and Line Feed↗2022-05-24

▶

CVEList

CVE-2021-31988: A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to add the Carriage Return and Line Feed↗2021-10-05

▶