cnvd - cnvd-2021-95576

CNVD-2021-95576

Vulnerability from cnvd - Published: 2021-12-09

Title

Business-Dna Solution GmbH TopEase输入验证错误漏洞（CNVD-2021-95576）

Description

Business-Dna Solution GmbH TopEase是瑞士Business-Dna Solution GmbH公司的一种“转型风险”解决方案。用于全面、简单、快速和安全地管理复杂的项目和措施。 Business-Dna Solution GmbH TopEase存在输入验证错误漏洞，攻击者可利用该漏洞插入意外格式到日期字段，导致破坏日期字段存在的对象页面。

Severity

中

Patch Name

Business-Dna Solution GmbH TopEase输入验证错误漏洞（CNVD-2021-95576）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://confluence.topease.ch/confluence/display/DOC/Release+Notes

Reference

https://confluence.topease.ch/confluence/display/DOC/Release+Notes

Impacted products

Name
Business-Dna Solution GmbH TopEase <=7.1.27

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-42121",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-42121"
    }
  },
  "description": "Business-Dna Solution GmbH TopEase\u662f\u745e\u58ebBusiness-Dna Solution GmbH\u516c\u53f8\u7684\u4e00\u79cd\u201c\u8f6c\u578b\u98ce\u9669\u201d\u89e3\u51b3\u65b9\u6848\u3002\u7528\u4e8e\u5168\u9762\u3001\u7b80\u5355\u3001\u5feb\u901f\u548c\u5b89\u5168\u5730\u7ba1\u7406\u590d\u6742\u7684\u9879\u76ee\u548c\u63aa\u65bd\u3002\n\nBusiness-Dna Solution GmbH TopEase\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63d2\u5165\u610f\u5916\u683c\u5f0f\u5230\u65e5\u671f\u5b57\u6bb5\uff0c\u5bfc\u81f4\u7834\u574f\u65e5\u671f\u5b57\u6bb5\u5b58\u5728\u7684\u5bf9\u8c61\u9875\u9762\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://confluence.topease.ch/confluence/display/DOC/Release+Notes",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-95576",
  "openTime": "2021-12-09",
  "patchDescription": "Business-Dna Solution GmbH TopEase\u662f\u745e\u58ebBusiness-Dna Solution GmbH\u516c\u53f8\u7684\u4e00\u79cd\u201c\u8f6c\u578b\u98ce\u9669\u201d\u89e3\u51b3\u65b9\u6848\u3002\u7528\u4e8e\u5168\u9762\u3001\u7b80\u5355\u3001\u5feb\u901f\u548c\u5b89\u5168\u5730\u7ba1\u7406\u590d\u6742\u7684\u9879\u76ee\u548c\u63aa\u65bd\u3002\r\n\r\nBusiness-Dna Solution GmbH TopEase\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63d2\u5165\u610f\u5916\u683c\u5f0f\u5230\u65e5\u671f\u5b57\u6bb5\uff0c\u5bfc\u81f4\u7834\u574f\u65e5\u671f\u5b57\u6bb5\u5b58\u5728\u7684\u5bf9\u8c61\u9875\u9762\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Business-Dna Solution GmbH TopEase\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff08CNVD-2021-95576\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Business-Dna Solution GmbH TopEase \u003c=7.1.27"
  },
  "referenceLink": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes",
  "serverity": "\u4e2d",
  "submitTime": "2021-12-02",
  "title": "Business-Dna Solution GmbH TopEase\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff08CNVD-2021-95576\uff09"
}

CVE-2021-42121 (GCVE-0-2021-42121)

Vulnerability from cvelistv5 – Published: 2021-11-30 11:28 – Updated: 2024-08-04 03:30

Title

Denial of Service via Invalid Date Format in TopEase

Summary

Insufficient Input Validation in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 on an object’s date attribute(s) allows an authenticated remote attacker with Object Modification privileges to insert an unexpected format into date fields, which leads to breaking the object page that the date field is present.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-20 - Improper Input Validation

Assigner

NCSC.ch

References

URL

Tags

https://confluence.topease.ch/confluence/display/…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Business-DNA Solutions GmbH	TopEase	Affected: unspecified , ≤ 7.1.27 (custom)

Credits

SIX Group Services AG, Cyber Controls

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T03:30:36.387Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "TopEase",
          "vendor": "Business-DNA Solutions GmbH",
          "versions": [
            {
              "lessThanOrEqual": "7.1.27",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "SIX Group Services AG, Cyber Controls"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Insufficient Input Validation in Web Applications operating on Business-DNA Solutions GmbH\u2019s TopEase\u00ae Platform Version \u003c= 7.1.27 on an object\u2019s date attribute(s) allows an authenticated remote attacker with Object Modification privileges to insert an unexpected format into date fields, which leads to breaking the object page that the date field is present."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-11-30T11:28:12",
        "orgId": "455daabc-a392-441d-aa46-37d35189897c",
        "shortName": "NCSC.ch"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Denial of Service via Invalid Date Format in TopEase",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "vulnerability@ncsc.ch",
          "ID": "CVE-2021-42121",
          "STATE": "PUBLIC",
          "TITLE": "Denial of Service via Invalid Date Format in TopEase"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "TopEase",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "7.1.27"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Business-DNA Solutions GmbH"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "SIX Group Services AG, Cyber Controls"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Insufficient Input Validation in Web Applications operating on Business-DNA Solutions GmbH\u2019s TopEase\u00ae Platform Version \u003c= 7.1.27 on an object\u2019s date attribute(s) allows an authenticated remote attacker with Object Modification privileges to insert an unexpected format into date fields, which leads to breaking the object page that the date field is present."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-20 Improper Input Validation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes",
              "refsource": "CONFIRM",
              "url": "https://confluence.topease.ch/confluence/display/DOC/Release+Notes"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
    "assignerShortName": "NCSC.ch",
    "cveId": "CVE-2021-42121",
    "datePublished": "2021-11-30T11:28:12",
    "dateReserved": "2021-10-08T00:00:00",
    "dateUpdated": "2024-08-04T03:30:36.387Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-95576

CVE-2021-42121 (GCVE-0-2021-42121)

Tags

Sightings

Nomenclature