CVE-2021-45918 - Vulnerability Details - OpenCVE

NHI’s health insurance web service component has insufficient validation for input string length, which can result in heap-based buffer overflow attack. A remote attacker can exploit this vulnerability to flood the memory space reserved for the program, in order to terminate service without authentication, which requires a system restart to recover service.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Nhi	Health Insurance Web Service Component

Configuration 1 [-]

cpe:2.3:a:nhi:health_insurance_web_service_component:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.spirityenterprise.com/pentest
https://www.twcert.org.tw/tw/cp-132-6227-eaf49-1.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: twcert

Published: 2022-06-20T05:30:26.758Z

Updated: 2024-09-17T04:04:01.665Z

Reserved: 2021-12-29T00:00:00.000Z

Link: CVE-2021-45918

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-06-20T06:15:08.503

Modified: 2024-11-21T06:33:16.403

Link: CVE-2021-45918

Redhat

No data.

{"containers": {"cna": {"affected": [{"platforms": ["Windows"], "product": "health insurance web service component", "vendor": "NHI", "versions": [{"status": "affected", "version": "515BE7DE5BCE446177FEE8A6E0665093"}]}, {"platforms": ["Mac"], "product": "health insurance web service component", "vendor": "NHI", "versions": [{"status": "affected", "version": "42fcc36541e716e23de77d5f325b186a"}]}, {"platforms": ["Linux(Ubuntu)"], "product": "health insurance web service component", "vendor": "NHI", "versions": [{"status": "affected", "version": "52EACB7CA2B4D0A5A869DF01079BF4D6"}]}, {"platforms": ["Linux(Fedora)"], "product": "health insurance web service component", "vendor": "NHI", "versions": [{"status": "affected", "version": "52EACB7CA2B4D0A5A869DF01079BF4D6"}]}], "credits": [{"lang": "en", "value": "Yu-Hsiang Lin"}], "datePublic": "2022-06-20T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "NHI\u2019s health insurance web service component has insufficient validation for input string length, which can result in heap-based buffer overflow attack. A remote attacker can exploit this vulnerability to flood the memory space reserved for the program, in order to terminate service without authentication, which requires a system restart to recover service."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "description": "CWE-122 Heap-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-06-20T05:30:26.000Z", "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.twcert.org.tw/tw/cp-132-6227-eaf49-1.html"}], "solutions": [{"lang": "en", "value": "Download last version"}], "source": {"advisory": "TVN-202112007", "discovery": "EXTERNAL"}, "title": "NHI\u2019s health insurance web service component \u2013 Heap-based Buffer Overflow", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "TWCERT/CC", "ASSIGNER": "cve@cert.org.tw", "DATE_PUBLIC": "2022-06-20T05:16:00.000Z", "ID": "CVE-2021-45918", "STATE": "PUBLIC", "TITLE": "NHI\u2019s health insurance web service component \u2013 Heap-based Buffer Overflow"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "health insurance web service component", "version": {"version_data": [{"platform": "Windows", "version_affected": "=", "version_value": "515BE7DE5BCE446177FEE8A6E0665093"}, {"platform": "Mac", "version_affected": "=", "version_value": "42fcc36541e716e23de77d5f325b186a"}, {"platform": "Linux(Ubuntu)", "version_affected": "=", "version_value": "52EACB7CA2B4D0A5A869DF01079BF4D6"}, {"platform": "Linux(Fedora)", "version_affected": "=", "version_value": "52EACB7CA2B4D0A5A869DF01079BF4D6"}]}}]}, "vendor_name": "NHI"}]}}, "credit": [{"lang": "eng", "value": "Yu-Hsiang Lin"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "NHI\u2019s health insurance web service component has insufficient validation for input string length, which can result in heap-based buffer overflow attack. A remote attacker can exploit this vulnerability to flood the memory space reserved for the program, in order to terminate service without authentication, which requires a system restart to recover service."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-122 Heap-based Buffer Overflow"}]}]}, "references": {"reference_data": [{"name": "https://www.twcert.org.tw/tw/cp-132-6227-eaf49-1.html", "refsource": "MISC", "url": "https://www.twcert.org.tw/tw/cp-132-6227-eaf49-1.html"}]}, "solution": [{"lang": "en", "value": "Download last version"}], "source": {"advisory": "TVN-202112007", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:54:31.155Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.twcert.org.tw/tw/cp-132-6227-eaf49-1.html"}]}]}, "cveMetadata": {"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "assignerShortName": "twcert", "cveId": "CVE-2021-45918", "datePublished": "2022-06-20T05:30:26.758Z", "dateReserved": "2021-12-29T00:00:00.000Z", "dateUpdated": "2024-09-17T04:04:01.665Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nhi:health_insurance_web_service_component:-:*:*:*:*:*:*:*", "matchCriteriaId": "0379276F-4782-4249-82EF-A26C6EE14E8B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "NHI\u2019s health insurance web service component has insufficient validation for input string length, which can result in heap-based buffer overflow attack. A remote attacker can exploit this vulnerability to flood the memory space reserved for the program, in order to terminate service without authentication, which requires a system restart to recover service."}, {"lang": "es", "value": "El componente del servicio web del seguro de salud de NHI no comprueba suficientemente la longitud de las cadenas de entrada, lo que puede resultar en un ataque de desbordamiento del b\u00fafer en la regi\u00f3n heap de la memoria. Un atacante remoto puede explotar esta vulnerabilidad para inundar el espacio de memoria reservado para el programa, con el fin de interrumpir el servicio sin autenticaci\u00f3n, lo que requiere un reinicio del sistema para recuperar el servicio"}], "id": "CVE-2021-45918", "lastModified": "2024-11-21T06:33:16.403", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.8, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "twcert@cert.org.tw", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-06-20T06:15:08.503", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-6227-eaf49-1.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-6227-eaf49-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "twcert@cert.org.tw", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-1284"}], "source": "nvd@nist.gov", "type": "Primary"}]}