CVE-2022-21215
published 2022-02-18CVE-2022-21215: This vulnerability could allow an attacker to force the server to create and execute a web request granting access to backend APIs that are only accessible to…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.39%
68.9th percentile
This vulnerability could allow an attacker to force the server to create and execute a web request granting access to backend APIs that are only accessible to the Mimosa MMP server, or request pages that could perform some actions themselves. The attacker could force the server into accessing routes on those cloud-hosting platforms, accessing secret keys, changing configurations, etc. Affecting MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| airspan | a5x_firmware | < 2.5.4.1 | 2.5.4.1 |
| airspan | c5c_firmware | < 2.8.6.1 | 2.8.6.1 |
| airspan | c5x_firmware | < 2.8.6.1 | 2.8.6.1 |
| airspan | c6x_firmware | < 2.8.6.1 | 2.8.6.1 |
| airspan | mimosa_management_platform | < 1.0.3 | 1.0.3 |
| airspan_networks | mmp | >= unspecified < v1.0.3 | v1.0.3 |
| airspan_networks | ptmp_c-series_and_a5x | >= unspecified < v2.5.4.1 | v2.5.4.1 |
| airspan_networks | ptp_c-series | >= unspecified < v2.8.6.1 | v2.8.6.1 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hqrh-5ffw-2jfp: This vulnerability could allow an attacker to force the server to create and execute a web request granting access to backend APIs that are only acces
ghsa_unreviewed·2022-02-19
CVE-2022-21215 [CRITICAL] CWE-918 GHSA-hqrh-5ffw-2jfp: This vulnerability could allow an attacker to force the server to create and execute a web request granting access to backend APIs that are only acces
This vulnerability could allow an attacker to force the server to create and execute a web request granting access to backend APIs that are only accessible to the Mimosa MMP server, or request pages that could perform some actions themselves. The attacker could force the server into accessing routes on those cloud-hosting platforms, accessing secret keys, changing configurations, etc. Affecting MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1.
CISA ICS
Airspan Networks Mimosa
cisa_ics·2022-02-03·CVSS 10.0
[CRITICAL] Airspan Networks Mimosa
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Airspan Networks Mimosa
Last RevisedFebruary 03, 2022
Alert CodeICSA-22-034-02
## 1. EXECUTIVE SUMMARY
- CVSS v3 10.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Airspan Networks
- Equipment: Mimosa by Airspan product line
- Vulnerabilities: Improper Authorization, Incorrect Authorization, Server-side Request Forgery, SQL Injection, Deserialization of Untrusted Data, OS Command Injection, Use of a Broken or Risky Cryptographic Algorithm
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to gain user data (in
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-02-18
Published