{"api_version":"1","generated_at":"2026-04-29T17:30:30+00:00","cve":"CVE-2021-35520","urls":{"html":"https://cve.report/CVE-2021-35520","api":"https://cve.report/api/cve/CVE-2021-35520.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-35520","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-35520"},"summary":{"title":"CVE-2021-35520","description":"A Buffer Overflow in Thrift command handlers in IDEMIA Morpho Wave Compact and VisionPass devices before 2.6.2 allows physically proximate authenticated attackers to achieve code execution, denial of services, and information disclosure via serial ports.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-07-22 12:15:00","updated_at":"2021-08-06 13:37:00"},"problem_types":["CWE-787"],"metrics":[],"references":[{"url":"https://www.idemia.com","name":"https://www.idemia.com","refsource":"MISC","tags":[],"title":"The global leader in Augmented Identity | IDEMIA","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://biometricdevices.idemia.com/s/global-search/0696700000JJa0zAAD?sharing=true","name":"https://biometricdevices.idemia.com/s/global-search/0696700000JJa0zAAD?sharing=true","refsource":"MISC","tags":[],"title":"IDEMIA Biometric Devices Portal","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://biometricdevices.idemia.com/s/global-search/0696700000JJa1nAAD?sharing=true","name":"https://biometricdevices.idemia.com/s/global-search/0696700000JJa1nAAD?sharing=true","refsource":"MISC","tags":[],"title":"IDEMIA Biometric Devices Portal","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-35520","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-35520","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"35520","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"idemia","cpe5":"morphowave_compact_mdpi","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"35520","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"idemia","cpe5":"morphowave_compact_mdpi-m","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"35520","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"idemia","cpe5":"morphowave_compact_mdpi-m_firmware","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"35520","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"idemia","cpe5":"morphowave_compact_mdpi_firmware","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"35520","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"idemia","cpe5":"visionpass_mdpi","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"35520","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"idemia","cpe5":"visionpass_mdpi-m","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"35520","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"idemia","cpe5":"visionpass_mdpi-m_firmware","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"35520","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"idemia","cpe5":"visionpass_mdpi_firmware","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-35520","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"A Buffer Overflow in Thrift command handlers in IDEMIA Morpho Wave Compact and VisionPass devices before 2.6.2 allows physically proximate authenticated attackers to achieve code execution, denial of services, and information disclosure via serial ports."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://www.idemia.com","refsource":"MISC","name":"https://www.idemia.com"},{"refsource":"MISC","name":"https://biometricdevices.idemia.com/s/global-search/0696700000JJa0zAAD?sharing=true","url":"https://biometricdevices.idemia.com/s/global-search/0696700000JJa0zAAD?sharing=true"},{"refsource":"MISC","name":"https://biometricdevices.idemia.com/s/global-search/0696700000JJa1nAAD?sharing=true","url":"https://biometricdevices.idemia.com/s/global-search/0696700000JJa1nAAD?sharing=true"}]}},"nvd":{"publishedDate":"2021-07-22 12:15:00","lastModifiedDate":"2021-08-06 13:37:00","problem_types":["CWE-787"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","attackVector":"PHYSICAL","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":6.2,"baseSeverity":"MEDIUM"},"exploitabilityScore":0.3,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:L/AC:L/Au:N/C:P/I:P/A:P","accessVector":"LOCAL","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":4.6},"severity":"MEDIUM","exploitabilityScore":3.9,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:idemia:morphowave_compact_mdpi_firmware:*:*:*:*:*:*:*:*","versionEndExcluding":"2.6.2","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:idemia:morphowave_compact_mdpi:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:idemia:morphowave_compact_mdpi-m_firmware:*:*:*:*:*:*:*:*","versionEndExcluding":"2.6.2","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:idemia:morphowave_compact_mdpi-m:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:idemia:visionpass_mdpi_firmware:*:*:*:*:*:*:*:*","versionEndExcluding":"2.6.2","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:idemia:visionpass_mdpi:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:idemia:visionpass_mdpi-m_firmware:*:*:*:*:*:*:*:*","versionEndExcluding":"2.6.2","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:idemia:visionpass_mdpi-m:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"35520","Ordinal":"211022","Title":"CVE-2021-35520","CVE":"CVE-2021-35520","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"35520","Ordinal":"1","NoteData":"A Buffer Overflow in Thrift command handlers in IDEMIA Morpho Wave Compact and VisionPass devices before 2.6.2 allows physically proximate authenticated attackers to achieve code execution, denial of services, and information disclosure via serial ports.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"35520","Ordinal":"2","NoteData":"2021-07-22","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"35520","Ordinal":"3","NoteData":"2021-07-22","Type":"Other","Title":"Modified"}]}}}