cvelistv5 - cve-2021-22278

CVE-2021-22278 (GCVE-0-2021-22278)

Vulnerability from cvelistv5 – Published: 2021-10-28 12:45 – Updated: 2024-09-16 18:23

Summary

A certificate validation vulnerability in PCM600 Update Manager allows attacker to get unwanted software packages to be installed on computer which has PCM600 installed.

Severity ?

6.7 (Medium)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-295 - Improper Certificate Validation

Assigner

ABB

References

URL

Tags

	https://search.abb.com/library/Download.aspx?Docu…	x_refsource_MISC
	https://search.abb.com/library/Download.aspx?Docu…	x_refsource_MISC

Impacted products

Vendor

Product

Version

ABB

PCM600

Affected: 2.7 , < unspecified (custom)
Affected: unspecified , ≤ 2.10 (custom)

ABB	PCM600 Update Manager	Affected: 2.1 Affected: 2.1.0.4 Affected: 2.2 Affected: 2.2.0.1 Affected: 2.2.0.2 Affected: 2.2.0.23 Affected: 2.3.0.60 Affected: 2.4.20041.1 Affected: 2.4.20119.2
Hitachi Energy	PCM600	Affected: 2.7 , < unspecified (custom) Affected: unspecified , ≤ 2.10 (custom)
Hitachi Energy	PCM600 Update Manager	Affected: 2.1 Affected: 2.1.0.4 Affected: 2.2 Affected: 2.2.0.1 Affected: 2.2.0.2 Affected: 2.2.0.23 Affected: 2.3.0.60 Affected: 2.4.20041.1 Affected: 2.4.20119.2

Credits

ABB and Hitachi Energy thank CyTRICS researcher May Chaffin for helping to identify the vulnerabilities and protecting our customers.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:37:18.443Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "PCM600",
          "vendor": "ABB",
          "versions": [
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "2.7",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2.10",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "PCM600 Update Manager",
          "vendor": "ABB",
          "versions": [
            {
              "status": "affected",
              "version": "2.1"
            },
            {
              "status": "affected",
              "version": "2.1.0.4"
            },
            {
              "status": "affected",
              "version": "2.2"
            },
            {
              "status": "affected",
              "version": "2.2.0.1"
            },
            {
              "status": "affected",
              "version": "2.2.0.2"
            },
            {
              "status": "affected",
              "version": "2.2.0.23"
            },
            {
              "status": "affected",
              "version": "2.3.0.60"
            },
            {
              "status": "affected",
              "version": "2.4.20041.1"
            },
            {
              "status": "affected",
              "version": "2.4.20119.2"
            }
          ]
        },
        {
          "product": "PCM600",
          "vendor": "Hitachi Energy",
          "versions": [
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "2.7",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2.10",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "PCM600 Update Manager",
          "vendor": "Hitachi Energy",
          "versions": [
            {
              "status": "affected",
              "version": "2.1"
            },
            {
              "status": "affected",
              "version": "2.1.0.4"
            },
            {
              "status": "affected",
              "version": "2.2"
            },
            {
              "status": "affected",
              "version": "2.2.0.1"
            },
            {
              "status": "affected",
              "version": "2.2.0.2"
            },
            {
              "status": "affected",
              "version": "2.2.0.23"
            },
            {
              "status": "affected",
              "version": "2.3.0.60"
            },
            {
              "status": "affected",
              "version": "2.4.20041.1"
            },
            {
              "status": "affected",
              "version": "2.4.20119.2"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "ABB and Hitachi Energy thank CyTRICS researcher May Chaffin for helping to identify the vulnerabilities and protecting our customers."
        }
      ],
      "datePublic": "2021-10-19T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A certificate validation vulnerability in PCM600 Update Manager allows attacker to get unwanted software packages to be installed on computer which has PCM600 installed."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "CWE-295 Improper Certificate Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-10-28T12:45:58",
        "orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
        "shortName": "ABB"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Install latest PCM600 Update Manager version 2.4.21218.1 or newer."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Certificate verification vulnerability  in Update Manager of PCM600 Engineering Tool",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cybersecurity@ch.abb.com",
          "DATE_PUBLIC": "2021-10-19T10:02:00.000Z",
          "ID": "CVE-2021-22278",
          "STATE": "PUBLIC",
          "TITLE": "Certificate verification vulnerability  in Update Manager of PCM600 Engineering Tool"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "PCM600",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003e=",
                            "version_value": "2.7"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_value": "2.10"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "PCM600 Update Manager",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "2.1"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "2.1.0.4"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "2.2"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "2.2.0.1"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "2.2.0.2"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "2.2.0.23"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "2.3.0.60"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "2.4.20041.1"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "2.4.20119.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ABB"
              },
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "PCM600",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003e=",
                            "version_value": "2.7"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_value": "2.10"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "PCM600 Update Manager",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "2.1"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "2.1.0.4"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "2.2"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "2.2.0.1"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "2.2.0.2"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "2.2.0.23"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "2.3.0.60"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "2.4.20041.1"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "2.4.20119.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Hitachi Energy"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "ABB and Hitachi Energy thank CyTRICS researcher May Chaffin for helping to identify the vulnerabilities and protecting our customers."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A certificate validation vulnerability in PCM600 Update Manager allows attacker to get unwanted software packages to be installed on computer which has PCM600 installed."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-295 Improper Certificate Validation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
              "refsource": "MISC",
              "url": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
            },
            {
              "name": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
              "refsource": "MISC",
              "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Install latest PCM600 Update Manager version 2.4.21218.1 or newer."
          }
        ],
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
    "assignerShortName": "ABB",
    "cveId": "CVE-2021-22278",
    "datePublished": "2021-10-28T12:45:58.086957Z",
    "dateReserved": "2021-01-05T00:00:00",
    "dateUpdated": "2024-09-16T18:23:59.443Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:abb:update_manager:2.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"270D7F57-336B-4529-A80B-54E7285A748C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:abb:update_manager:2.1.0.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F3C761D5-31F0-4A1C-B25B-D6672E6CCFA4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:abb:update_manager:2.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D90D0E2D-D673-42B1-BF93-6A46CCB4FC4E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:abb:update_manager:2.2.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E7566688-A986-454E-85E2-30C410F036F5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:abb:update_manager:2.2.0.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E54590EC-81E2-4EB7-B9FA-FBD8D3EF68F0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:abb:update_manager:2.2.0.23:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"950F2775-4C0E-4C89-B9A5-E57C8AB7E358\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:abb:update_manager:2.3.0.60:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B9641E06-083B-4D62-A589-CBD33842E4F7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:abb:update_manager:2.4.20041.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"013A5B85-B035-459F-8D7D-1CD6ABA0BA06\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:abb:update_manager:2.4.20119.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"634F2294-B68D-4729-B794-DBCED5283F96\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:abb:update_manager:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.7\", \"versionEndIncluding\": \"2.10\", \"matchCriteriaId\": \"35E421FD-7C58-42B8-9D32-82D68763D59B\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:hitachienergy:pcm600:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A68C99C9-B2C1-4ADD-9B06-2BE60B583D30\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A certificate validation vulnerability in PCM600 Update Manager allows attacker to get unwanted software packages to be installed on computer which has PCM600 installed.\"}, {\"lang\": \"es\", \"value\": \"Una vulnerabilidad de comprobaci\\u00f3n de certificados en PCM600 Update Manager permite a un atacante conseguir que se instalen paquetes de software no deseados en el ordenador que presenta instalado el PCM600\"}]",
      "id": "CVE-2021-22278",
      "lastModified": "2024-11-21T05:49:50.010",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"cybersecurity@ch.abb.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 6.7, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 0.8, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 6.7, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 0.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 4.6, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 3.9, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-10-28T13:15:08.203",
      "references": "[{\"url\": \"https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\", \"source\": \"cybersecurity@ch.abb.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\", \"source\": \"cybersecurity@ch.abb.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "cybersecurity@ch.abb.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"cybersecurity@ch.abb.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-295\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-295\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-22278\",\"sourceIdentifier\":\"cybersecurity@ch.abb.com\",\"published\":\"2021-10-28T13:15:08.203\",\"lastModified\":\"2024-11-21T05:49:50.010\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A certificate validation vulnerability in PCM600 Update Manager allows attacker to get unwanted software packages to be installed on computer which has PCM600 installed.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de comprobaci\u00f3n de certificados en PCM600 Update Manager permite a un atacante conseguir que se instalen paquetes de software no deseados en el ordenador que presenta instalado el PCM600\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cybersecurity@ch.abb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":6.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":6.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":4.6,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":3.9,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cybersecurity@ch.abb.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-295\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-295\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:abb:update_manager:2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"270D7F57-336B-4529-A80B-54E7285A748C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:abb:update_manager:2.1.0.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F3C761D5-31F0-4A1C-B25B-D6672E6CCFA4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:abb:update_manager:2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D90D0E2D-D673-42B1-BF93-6A46CCB4FC4E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:abb:update_manager:2.2.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E7566688-A986-454E-85E2-30C410F036F5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:abb:update_manager:2.2.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E54590EC-81E2-4EB7-B9FA-FBD8D3EF68F0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:abb:update_manager:2.2.0.23:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"950F2775-4C0E-4C89-B9A5-E57C8AB7E358\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:abb:update_manager:2.3.0.60:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B9641E06-083B-4D62-A589-CBD33842E4F7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:abb:update_manager:2.4.20041.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"013A5B85-B035-459F-8D7D-1CD6ABA0BA06\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:abb:update_manager:2.4.20119.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"634F2294-B68D-4729-B794-DBCED5283F96\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:abb:update_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.7\",\"versionEndIncluding\":\"2.10\",\"matchCriteriaId\":\"35E421FD-7C58-42B8-9D32-82D68763D59B\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:hitachienergy:pcm600:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A68C99C9-B2C1-4ADD-9B06-2BE60B583D30\"}]}]}],\"references\":[{\"url\":\"https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\",\"source\":\"cybersecurity@ch.abb.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\",\"source\":\"cybersecurity@ch.abb.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

GHSA-M4RM-456C-72HQ

Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2023-05-16 21:30

Details

A certificate validation vulnerability in PCM600 Update Manager allows attacker to get unwanted software packages to be installed on computer which has PCM600 installed.

Severity ?

6.7 (Medium)


                  
                    CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-22278"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-28T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A certificate validation vulnerability in PCM600 Update Manager allows attacker to get unwanted software packages to be installed on computer which has PCM600 installed.",
  "id": "GHSA-m4rm-456c-72hq",
  "modified": "2023-05-16T21:30:17Z",
  "published": "2022-05-24T19:19:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22278"
    },
    {
      "type": "WEB",
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
    },
    {
      "type": "WEB",
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2021-22278

Vulnerability from fkie_nvd - Published: 2021-10-28 13:15 - Updated: 2024-11-21 05:49

Severity ?

6.7 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
6.7 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Summary

A certificate validation vulnerability in PCM600 Update Manager allows attacker to get unwanted software packages to be installed on computer which has PCM600 installed.

References

URL	Tags
cybersecurity@ch.abb.com	https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142&LanguageCode=en&DocumentPartId=&Action=Launch	Vendor Advisory
cybersecurity@ch.abb.com	https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056&LanguageCode=en&DocumentPartId=&Action=Launch	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142&LanguageCode=en&DocumentPartId=&Action=Launch	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056&LanguageCode=en&DocumentPartId=&Action=Launch	Vendor Advisory

Impacted products

Vendor	Product	Version
abb	update_manager	2.1
abb	update_manager	2.1.0.4
abb	update_manager	2.2
abb	update_manager	2.2.0.1
abb	update_manager	2.2.0.2
abb	update_manager	2.2.0.23
abb	update_manager	2.3.0.60
abb	update_manager	2.4.20041.1
abb	update_manager	2.4.20119.2
abb	update_manager	*
hitachienergy	pcm600	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:abb:update_manager:2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "270D7F57-336B-4529-A80B-54E7285A748C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:abb:update_manager:2.1.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "F3C761D5-31F0-4A1C-B25B-D6672E6CCFA4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:abb:update_manager:2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "D90D0E2D-D673-42B1-BF93-6A46CCB4FC4E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:abb:update_manager:2.2.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "E7566688-A986-454E-85E2-30C410F036F5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:abb:update_manager:2.2.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "E54590EC-81E2-4EB7-B9FA-FBD8D3EF68F0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:abb:update_manager:2.2.0.23:*:*:*:*:*:*:*",
              "matchCriteriaId": "950F2775-4C0E-4C89-B9A5-E57C8AB7E358",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:abb:update_manager:2.3.0.60:*:*:*:*:*:*:*",
              "matchCriteriaId": "B9641E06-083B-4D62-A589-CBD33842E4F7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:abb:update_manager:2.4.20041.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "013A5B85-B035-459F-8D7D-1CD6ABA0BA06",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:abb:update_manager:2.4.20119.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "634F2294-B68D-4729-B794-DBCED5283F96",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:abb:update_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "35E421FD-7C58-42B8-9D32-82D68763D59B",
              "versionEndIncluding": "2.10",
              "versionStartIncluding": "2.7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:hitachienergy:pcm600:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A68C99C9-B2C1-4ADD-9B06-2BE60B583D30",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A certificate validation vulnerability in PCM600 Update Manager allows attacker to get unwanted software packages to be installed on computer which has PCM600 installed."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de comprobaci\u00f3n de certificados en PCM600 Update Manager permite a un atacante conseguir que se instalen paquetes de software no deseados en el ordenador que presenta instalado el PCM600"
    }
  ],
  "id": "CVE-2021-22278",
  "lastModified": "2024-11-21T05:49:50.010",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 4.6,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 6.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.8,
        "impactScore": 5.9,
        "source": "cybersecurity@ch.abb.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 6.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-10-28T13:15:08.203",
  "references": [
    {
      "source": "cybersecurity@ch.abb.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
    },
    {
      "source": "cybersecurity@ch.abb.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
    }
  ],
  "sourceIdentifier": "cybersecurity@ch.abb.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-295"
        }
      ],
      "source": "cybersecurity@ch.abb.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-295"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

VAR-202110-1059

Vulnerability from variot - Updated: 2023-12-18 11:36

A certificate validation vulnerability in PCM600 Update Manager allows attacker to get unwanted software packages to be installed on computer which has PCM600 installed

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202110-1059",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "update manager",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "abb",
        "version": "2.2.0.23"
      },
      {
        "model": "update manager",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "abb",
        "version": "2.3.0.60"
      },
      {
        "model": "update manager",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "abb",
        "version": "2.4.20041.1"
      },
      {
        "model": "update manager",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "abb",
        "version": "2.2.0.2"
      },
      {
        "model": "update manager",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "abb",
        "version": "2.4.20119.2"
      },
      {
        "model": "update manager",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "abb",
        "version": "2.1"
      },
      {
        "model": "update manager",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "abb",
        "version": "2.2.0.1"
      },
      {
        "model": "update manager",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "abb",
        "version": "2.10"
      },
      {
        "model": "update manager",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "abb",
        "version": "2.2"
      },
      {
        "model": "update manager",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "abb",
        "version": "2.1.0.4"
      },
      {
        "model": "update manager",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "abb",
        "version": "2.7"
      },
      {
        "model": "update manager",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "abb",
        "version": null
      },
      {
        "model": "update manager",
        "scope": null,
        "trust": 0.8,
        "vendor": "abb",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-005069"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-22278"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:abb:update_manager:2.1.0.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:abb:update_manager:2.2.0.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:abb:update_manager:2.2.0.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:abb:update_manager:2.2.0.23:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:abb:update_manager:2.3.0.60:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:abb:update_manager:2.4.20041.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:abb:update_manager:2.4.20119.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:abb:update_manager:2.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:abb:update_manager:2.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:a:abb:update_manager:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "2.10",
                    "versionStartIncluding": "2.7",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:hitachienergy:pcm600:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2021-22278"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "A Department of Energy CyTRICS researcher from Idaho National Laboratory reported this vulnerability to Hitachi Energy.",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202110-2031"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2021-22278",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.6,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 3.9,
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "MEDIUM",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Local",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Partial",
            "baseScore": 4.6,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "CVE-2021-22278",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.6,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 3.9,
            "id": "VHN-380713",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:L/AC:L/AU:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 6.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 0.8,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "author": "cybersecurity@ch.abb.com",
            "availabilityImpact": "HIGH",
            "baseScore": 6.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 0.8,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Local",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 6.7,
            "baseSeverity": "Medium",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2021-22278",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "High",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2021-22278",
            "trust": 1.8,
            "value": "MEDIUM"
          },
          {
            "author": "cybersecurity@ch.abb.com",
            "id": "CVE-2021-22278",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202110-2031",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULHUB",
            "id": "VHN-380713",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-380713"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-005069"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-22278"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-22278"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202110-2031"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "A certificate validation vulnerability in PCM600 Update Manager allows attacker to get unwanted software packages to be installed on computer which has PCM600 installed",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2021-22278"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-005069"
      },
      {
        "db": "VULHUB",
        "id": "VHN-380713"
      }
    ],
    "trust": 1.71
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2021-22278",
        "trust": 2.5
      },
      {
        "db": "ICS CERT",
        "id": "ICSA-21-336-07",
        "trust": 1.4
      },
      {
        "db": "JVN",
        "id": "JVNVU90348129",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-005069",
        "trust": 0.8
      },
      {
        "db": "CS-HELP",
        "id": "SB2021120301",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2021.4098",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202110-2031",
        "trust": 0.6
      },
      {
        "db": "VULHUB",
        "id": "VHN-380713",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-380713"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-005069"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-22278"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202110-2031"
      }
    ]
  },
  "id": "VAR-202110-1059",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-380713"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2023-12-18T11:36:39.386000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "2NGA001142 Hitachi\u00a0EnergyCYBERSECURITY\u00a0ADVISORY",
        "trust": 0.8,
        "url": "https://search.abb.com/library/download.aspx?documentid=2nga001142\u0026languagecode=en\u0026documentpartid=\u0026action=launch"
      },
      {
        "title": "Abb Pcm600 Repair measures for trust management problem vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=168590"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-005069"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202110-2031"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-295",
        "trust": 1.1
      },
      {
        "problemtype": "Bad certificate verification (CWE-295) [NVD Evaluation ]",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-380713"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-005069"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-22278"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 1.6,
        "url": "https://search.abb.com/library/download.aspx?documentid=2nga001142\u0026languagecode=en\u0026documentpartid=\u0026action=launch"
      },
      {
        "trust": 1.6,
        "url": "https://search.abb.com/library/download.aspx?documentid=8dbd000056\u0026languagecode=en\u0026documentpartid=\u0026action=launch"
      },
      {
        "trust": 1.4,
        "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-336-07"
      },
      {
        "trust": 0.8,
        "url": "https://jvn.jp/vu/jvnvu90348129/index.html"
      },
      {
        "trust": 0.8,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-22278"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2021.4098"
      },
      {
        "trust": 0.6,
        "url": "https://www.cybersecurity-help.cz/vdb/sb2021120301"
      },
      {
        "trust": 0.1,
        "url": "https://search.abb.com/library/download.aspx?documentid=2nga001142\u0026amp;languagecode=en\u0026amp;documentpartid=\u0026amp;action=launch"
      },
      {
        "trust": 0.1,
        "url": "https://search.abb.com/library/download.aspx?documentid=8dbd000056\u0026amp;languagecode=en\u0026amp;documentpartid=\u0026amp;action=launch"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-380713"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-005069"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-22278"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202110-2031"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-380713"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-005069"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-22278"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202110-2031"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2021-10-28T00:00:00",
        "db": "VULHUB",
        "id": "VHN-380713"
      },
      {
        "date": "2021-12-07T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2021-005069"
      },
      {
        "date": "2021-10-28T13:15:08.203000",
        "db": "NVD",
        "id": "CVE-2021-22278"
      },
      {
        "date": "2021-10-28T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202110-2031"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2021-11-03T00:00:00",
        "db": "VULHUB",
        "id": "VHN-380713"
      },
      {
        "date": "2021-12-07T04:48:00",
        "db": "JVNDB",
        "id": "JVNDB-2021-005069"
      },
      {
        "date": "2023-05-16T20:56:48.347000",
        "db": "NVD",
        "id": "CVE-2021-22278"
      },
      {
        "date": "2021-12-06T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202110-2031"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "local",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202110-2031"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "PCM600\u00a0Update\u00a0Manager\u00a0 Vulnerability in Certificate Verification",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-005069"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "trust management problem",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202110-2031"
      }
    ],
    "trust": 0.6
  }
}

GSD-2021-22278

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

A certificate validation vulnerability in PCM600 Update Manager allows attacker to get unwanted software packages to be installed on computer which has PCM600 installed.

Aliases

CVE-2021-22278

Aliases

CVE-2021-22278

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-22278",
    "description": "A certificate validation vulnerability in PCM600 Update Manager allows attacker to get unwanted software packages to be installed on computer which has PCM600 installed.",
    "id": "GSD-2021-22278"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-22278"
      ],
      "details": "A certificate validation vulnerability in PCM600 Update Manager allows attacker to get unwanted software packages to be installed on computer which has PCM600 installed.",
      "id": "GSD-2021-22278",
      "modified": "2023-12-13T01:23:24.320222Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cybersecurity@ch.abb.com",
        "DATE_PUBLIC": "2021-10-19T10:02:00.000Z",
        "ID": "CVE-2021-22278",
        "STATE": "PUBLIC",
        "TITLE": "Certificate verification vulnerability  in Update Manager of PCM600 Engineering Tool"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "PCM600",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003e=",
                          "version_value": "2.7"
                        },
                        {
                          "version_affected": "\u003c=",
                          "version_value": "2.10"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "PCM600 Update Manager",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "2.1"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "2.1.0.4"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "2.2"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "2.2.0.1"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "2.2.0.2"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "2.2.0.23"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "2.3.0.60"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "2.4.20041.1"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "2.4.20119.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "ABB"
            },
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "PCM600",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003e=",
                          "version_value": "2.7"
                        },
                        {
                          "version_affected": "\u003c=",
                          "version_value": "2.10"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "PCM600 Update Manager",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "2.1"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "2.1.0.4"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "2.2"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "2.2.0.1"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "2.2.0.2"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "2.2.0.23"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "2.3.0.60"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "2.4.20041.1"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "2.4.20119.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Hitachi Energy"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "ABB and Hitachi Energy thank CyTRICS researcher May Chaffin for helping to identify the vulnerabilities and protecting our customers."
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A certificate validation vulnerability in PCM600 Update Manager allows attacker to get unwanted software packages to be installed on computer which has PCM600 installed."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 6.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-295 Improper Certificate Validation"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
            "refsource": "MISC",
            "url": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
          },
          {
            "name": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
            "refsource": "MISC",
            "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
          }
        ]
      },
      "solution": [
        {
          "lang": "eng",
          "value": "Install latest PCM600 Update Manager version 2.4.21218.1 or newer."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:abb:update_manager:2.1.0.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:abb:update_manager:2.2.0.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:abb:update_manager:2.2.0.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:abb:update_manager:2.2.0.23:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:abb:update_manager:2.3.0.60:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:abb:update_manager:2.4.20041.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:abb:update_manager:2.4.20119.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:abb:update_manager:2.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:abb:update_manager:2.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:a:abb:update_manager:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "2.10",
                    "versionStartIncluding": "2.7",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:hitachienergy:pcm600:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cybersecurity@ch.abb.com",
          "ID": "CVE-2021-22278"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A certificate validation vulnerability in PCM600 Update Manager allows attacker to get unwanted software packages to be installed on computer which has PCM600 installed."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-295"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
            },
            {
              "name": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.6,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 0.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-05-16T20:56Z",
      "publishedDate": "2021-10-28T13:15Z"
    }
  }
}

ICSA-21-336-07

Vulnerability from csaf_cisa - Published: 2021-12-02 00:00 - Updated: 2021-12-02 00:00

Summary

Hitachi Energy PCM600 Update Manager

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Risk evaluation

Successful exploitation of this vulnerability could allow an attacker to bypass the certificate validation and install an untrusted software package.

Critical infrastructure sectors

Energy

Countries/areas deployed

Worldwide

Company headquarters location

Switzerland

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Recommended Practices

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

Exploitability

No known public exploits specifically target this vulnerability. This vulnerability has a high attack complexity. This vulnerability is not exploitable remotely.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "an anonymous party"
        ],
        "organization": "Idaho National Laboratory",
        "summary": "reporting this vulnerability to Hitachi Energy"
      },
      {
        "organization": "Department of Energy",
        "summary": "reporting this vulnerability to Hitachi Energy"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of this vulnerability could allow an attacker to bypass the certificate validation and install an untrusted software package.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Energy",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "Switzerland",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target this vulnerability. This vulnerability has a high attack complexity. This vulnerability is not exploitable remotely.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-21-336-07 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2021/icsa-21-336-07.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-21-336-07 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-21-336-07"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-21-336-07"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B"
      }
    ],
    "title": "Hitachi Energy PCM600 Update Manager",
    "tracking": {
      "current_release_date": "2021-12-02T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-21-336-07",
      "initial_release_date": "2021-12-02T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2021-12-02T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSA-21-336-07 Hitachi Energy PCM600s Update Manager"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "2.1 | 2.1.0.4 | 2.2 2.2.0.1 | 2.2.0.2 | 2.2.0.23 | 2.3.0.60 | 2.4.20041.1 |2.4.20119.2",
                "product": {
                  "name": "PCM600 Update Manager: Versions 2.1 2.1.0.4 2.2 2.2.0.1 2.2.0.2 2.2.0.23 2.3.0.60 2.4.20041.1 and 2.4.20119.2",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "PCM600 Update Manager"
          }
        ],
        "category": "vendor",
        "name": "Hitachi Energy"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-22278",
      "cwe": {
        "id": "CWE-295",
        "name": "Improper Certificate Validation"
      },
      "notes": [
        {
          "category": "summary",
          "text": "This vulnerability exists due to a logic error in the certificate validation in the affected product. An attacker with administrator rights could exploit this vulnerability by creating software packages and signing those packages with specially crafted certificates, thereby pointing the PCM600 update server location to a different location. The validation flaw causes untrusted software packages to be installed using PCM600 Update Manager.CVE-2021-22278 has been assigned to this vulnerability. A CVSS v3 base score of 6.7 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22278"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Hitachi Energy recommends updating the PCM600 Update Manager to Update Manager v2.4.21218.1. This can be done by checking directly on the recommended updates in the PCM600 Update Manager or by downloading it from the Hitachi Energy website.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://www143.abb.com/SoftwareLibrary"
        },
        {
          "category": "mitigation",
          "details": "Please see Hitachi Energy advisory 8DBD000056 for additional mitigation and update information.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.7,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-22278 (GCVE-0-2021-22278)

GHSA-M4RM-456C-72HQ

FKIE_CVE-2021-22278

VAR-202110-1059

GSD-2021-22278

ICSA-21-336-07

Tags

Sightings

Nomenclature