A dependency confusion vulnerability was reported in the Antilles open-source software prior to version 1.0.1 that could allow for remote code execution during installation due to a package listed in requirements.txt not existing in the public package index (PyPi). MITRE classifies this weakness as an Uncontrolled Search Path Element (CWE-427) in which a private package dependency may be replaced by an unauthorized package of the same name published to a well-known public repository such as PyPi. The configuration has been updated to only install components built by Antilles, removing all other public package indexes. Additionally, the antilles-tools dependency has been published to PyPi.
References
| Link | Resource |
|---|---|
| https://github.com/lenovo/Antilles/security/advisories/GHSA-hgc3-hp6x-wpgx | Patch Third Party Advisory |
| https://github.com/lenovo/Antilles/security/advisories/GHSA-hgc3-hp6x-wpgx | Patch Third Party Advisory |
Configurations
History
21 Nov 2024, 06:22
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/lenovo/Antilles/security/advisories/GHSA-hgc3-hp6x-wpgx - Patch, Third Party Advisory |
17 Nov 2021, 14:30
| Type | Values Removed | Values Added |
|---|---|---|
| References | (CONFIRM) https://github.com/lenovo/Antilles/security/advisories/GHSA-hgc3-hp6x-wpgx - Patch, Third Party Advisory | |
| CVSS |
v2 : v3 : |
v2 : 6.8
v3 : 8.8 |
| CWE | CWE-427 | |
| CPE | cpe:2.3:a:lenovo:antilles:*:*:*:*:*:*:*:* |
12 Nov 2021, 23:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2021-11-12 22:15
Updated : 2024-11-21 06:22
NVD link : CVE-2021-3840
Mitre link : CVE-2021-3840
CVE.ORG link : CVE-2021-3840
JSON object : View
Products Affected
lenovo
- antilles
CWE
CWE-427
Uncontrolled Search Path Element