CVE-2021-22440

Name of the Vulnerable Software and Affected Versions: HUAWEI Mate 20 versions 9.0.0.195(C01E195R2P1) through 9.1.0.139(C00E133R3P1) HUAWEI Mate 20 Pro versions 9.0.0.187(C432E10R1P16) through 9.0.0.278(C185E10R2P1) Hima-L29C version 9.0.0.105(C10E9R1P16) Hima-L29C version 9.0.0.105(C185E9R1P16) Hima-L29C version 9.0.0.105(C636E9R1P16) Laya-AL00EP version 9.1.0.139(C786E133R3P1) OxfordS-AN00A version 10.1.0.223(C00E210R5P1) Tony-AL00B version 9.1.0.257(C00E222R2P1)

Description: The issue is a path traversal vulnerability in some Huawei products. This vulnerability occurs because the software uses external input to construct a pathname intended to identify a file or directory underneath a restricted parent directory, but it does not properly validate the pathname. Successful exploitation could allow an attacker to access a location outside of the restricted directory by using a crafted filename.

Recommendations: For HUAWEI Mate 20 versions 9.0.0.195(C01E195R2P1) through 9.1.0.139(C00E133R3P1), update to a version that properly validates pathnames. For HUAWEI Mate 20 Pro versions 9.0.0.187(C432E10R1P16) through 9.0.0.278(C185E10R2P1), update to a version that properly validates pathnames. For Hima-L29C versions 9.0.0.105, update to a version that properly validates pathnames. For Laya-AL00EP version 9.1.0.139(C786E133R3P1), update to a version that properly validates pathnames. For OxfordS-AN00A version 10.1.0.223(C00E210R5P1), update to a version that properly validates pathnames. For Tony-AL00B version 9.1.0.257(C00E222R2P1), update to a version that properly validates pathnames. As a temporary workaround, consider restricting access to sensitive directories until a patch is available.