CVE-2021-22440
Description
There is a path traversal vulnerability in some Huawei products. The vulnerability is due to that the software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly validate the pathname. Successful exploit could allow the attacker to access a location that is outside of the restricted directory by a crafted filename. Affected product versions include:HUAWEI Mate 20 9.0.0.195(C01E195R2P1), 9.1.0.139(C00E133R3P1);HUAWEI Mate 20 Pro 9.0.0.187(C432E10R1P16), 9.0.0.188(C185E10R2P1), 9.0.0.245(C10E10R2P1), 9.0.0.266(C432E10R1P16), 9.0.0.267(C636E10R2P1), 9.0.0.268(C635E12R1P16), 9.0.0.278(C185E10R2P1); Hima-L29C 9.0.0.105(C10E9R1P16), 9.0.0.105(C185E9R1P16), 9.0.0.105(C636E9R1P16); Laya-AL00EP 9.1.0.139(C786E133R3P1); OxfordS-AN00A 10.1.0.223(C00E210R5P1); Tony-AL00B 9.1.0.257(C00E222R2P1).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Path traversal vulnerability in Huawei Mate 20 and other devices allows reading arbitrary files via crafted filename.
Vulnerability
A path traversal vulnerability exists in some Huawei products, including HUAWEI Mate 20, Mate 20 Pro, Hima-L29C, Laya-AL00EP, OxfordS-AN00A, and Tony-AL00B. The vulnerability occurs because the software uses external input to construct a pathname but fails to properly validate it, allowing an attacker to bypass restricted directory checks. Affected versions include 9.0.0.195(C01E195R2P1), 9.1.0.139(C00E133R3P1), and others as listed in the advisory [1].
Exploitation
An attacker can exploit this vulnerability by providing a crafted filename that traverses outside the intended restricted directory. The attacker requires the ability to supply this filename to the vulnerable component, possibly through a write operation or file upload. No authentication is mentioned as necessary, but the advisory does not specify the precise attack vector. The exploit is of low complexity [1].
Impact
Successful exploitation allows the attacker to read files or directories that are outside the restricted parent directory, leading to information disclosure. The attacker could access sensitive data stored on the device [1].
Mitigation
Huawei has released software updates to fix this vulnerability. Users should update their devices to the resolved versions listed in the advisory, such as 11.0.0.130(C01E125R2P6) for HUAWEI Mate 20. The advisory was published on 2021-06-30 and updated on 2021-09-22 [1]. No workarounds are mentioned.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- HUAWEI/Mate 20description
- Range: 9.0.0.195(C01E195R2P1), 9.1.0.139(C00E133R3P1)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- www.huawei.com/en/psirt/security-advisories/huawei-sa-20210630-01-pathtraversal-enmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.