CVE-2021-28488
MEDIUMEricsson Network Manager < 21.2 - Incorrect Access Control in AMOS Authorization Group
Title source: llmDescription
Ericsson Network Manager (ENM) before 21.2 has incorrect access-control behavior (that only affects the level of access available to persons who were already granted a highly privileged role). Users in the same AMOS authorization group can retrieve managed-network data that was not set to be accessible to the entire group (i.e., was only set to be accessible to a subset of that group).
References (3)
Core 3
Core References
Vendor Advisory x_refsource_misc
https://www.ericsson.com
Third Party Advisory x_refsource_misc
https://www.gruppotim.it/it/footer/red-team.html
Vendor Advisory x_refsource_misc
https://www.ericsson.com/en/about-us/enterprise-security/psirt
Scores
CVSS v3
6.5
EPSS
0.0107
EPSS Percentile
60.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-668
Status
published
Products (1)
ericsson/network_manager
< 21.2
Published
Mar 10, 2022
Tracked Since
Feb 18, 2026