cvelistv5 - cve-2021-33005

CVE-2021-33005 (GCVE-0-2021-33005)

Vulnerability from cvelistv5 – Published: 2022-05-13 15:18 – Updated: 2025-04-16 16:21

Title

mySCADA myPRO Path Traversal

Summary

mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE

CWE-22 - Path Traversal

Assigner

icscert

References

URL

Tags

	https://www.cisa.gov/uscert/ics/advisories/icsa-2…	x_refsource_MISC
	https://www.myscada.org/version-8-20-0-released-s…	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	mySCADA	myPRO	Affected: unspecified , < 8.20.0 (custom)

Credits

Michael Heinzl reported these vulnerabilities to CISA.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:42:19.949Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.myscada.org/version-8-20-0-released-security-update"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-33005",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-16T15:56:04.272607Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-16T16:21:55.101Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "myPRO",
          "vendor": "mySCADA",
          "versions": [
            {
              "lessThan": "8.20.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Michael Heinzl reported these vulnerabilities to CISA."
        }
      ],
      "datePublic": "2021-08-05T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-05-13T15:18:39.000Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.myscada.org/version-8-20-0-released-security-update"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "mySCADA recommends users apply update v8.20.0 or later."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "mySCADA myPRO Path Traversal",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "DATE_PUBLIC": "2021-08-05T21:32:00.000Z",
          "ID": "CVE-2021-33005",
          "STATE": "PUBLIC",
          "TITLE": "mySCADA myPRO Path Traversal"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "myPRO",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "8.20.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "mySCADA"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Michael Heinzl reported these vulnerabilities to CISA."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-22: Path Traversal"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03",
              "refsource": "MISC",
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03"
            },
            {
              "name": "https://www.myscada.org/version-8-20-0-released-security-update",
              "refsource": "CONFIRM",
              "url": "https://www.myscada.org/version-8-20-0-released-security-update"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "mySCADA recommends users apply update v8.20.0 or later."
          }
        ],
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2021-33005",
    "datePublished": "2022-05-13T15:18:40.002Z",
    "dateReserved": "2021-05-13T00:00:00.000Z",
    "dateUpdated": "2025-04-16T16:21:55.101Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:myscada:mypro:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"8.20.0\", \"matchCriteriaId\": \"1DDCAD9A-0464-4431-AC41-88D4A57354BD\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories.\"}, {\"lang\": \"es\", \"value\": \"mySCADA myPRO versiones anteriores a la 8.20.0, permiten a un atacante remoto no autentificado cargar archivos arbitrarios en directorios arbitrarios\"}]",
      "id": "CVE-2021-33005",
      "lastModified": "2024-11-21T06:08:06.603",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:P/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2022-05-13T16:15:07.950",
      "references": "[{\"url\": \"https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}, {\"url\": \"https://www.myscada.org/version-8-20-0-released-security-update\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}, {\"url\": \"https://www.myscada.org/version-8-20-0-released-security-update\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "ics-cert@hq.dhs.gov",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-33005\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2022-05-13T16:15:07.950\",\"lastModified\":\"2024-11-21T06:08:06.603\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories.\"},{\"lang\":\"es\",\"value\":\"mySCADA myPRO versiones anteriores a la 8.20.0, permiten a un atacante remoto no autentificado cargar archivos arbitrarios en directorios arbitrarios\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:P/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:myscada:mypro:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"8.20.0\",\"matchCriteriaId\":\"1DDCAD9A-0464-4431-AC41-88D4A57354BD\"}]}]}],\"references\":[{\"url\":\"https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://www.myscada.org/version-8-20-0-released-security-update\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://www.myscada.org/version-8-20-0-released-security-update\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://www.myscada.org/version-8-20-0-released-security-update\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T23:42:19.949Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-33005\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-16T15:56:04.272607Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-16T15:56:08.801Z\"}}], \"cna\": {\"title\": \"mySCADA myPRO Path Traversal\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"value\": \"Michael Heinzl reported these vulnerabilities to CISA.\"}], \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"mySCADA\", \"product\": \"myPRO\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"8.20.0\", \"versionType\": \"custom\"}]}], \"solutions\": [{\"lang\": \"en\", \"value\": \"mySCADA recommends users apply update v8.20.0 or later.\"}], \"datePublic\": \"2021-08-05T00:00:00.000Z\", \"references\": [{\"url\": \"https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://www.myscada.org/version-8-20-0-released-security-update\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Path Traversal\"}]}], \"providerMetadata\": {\"orgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"shortName\": \"icscert\", \"dateUpdated\": \"2022-05-13T15:18:39.000Z\"}, \"x_legacyV4Record\": {\"credit\": [{\"lang\": \"eng\", \"value\": \"Michael Heinzl reported these vulnerabilities to CISA.\"}], \"impact\": {\"cvss\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, \"source\": {\"discovery\": \"EXTERNAL\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"8.20.0\", \"version_affected\": \"\u003c\"}]}, \"product_name\": \"myPRO\"}]}, \"vendor_name\": \"mySCADA\"}]}}, \"solution\": [{\"lang\": \"en\", \"value\": \"mySCADA recommends users apply update v8.20.0 or later.\"}], \"data_type\": \"CVE\", \"generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"references\": {\"reference_data\": [{\"url\": \"https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03\", \"name\": \"https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03\", \"refsource\": \"MISC\"}, {\"url\": \"https://www.myscada.org/version-8-20-0-released-security-update\", \"name\": \"https://www.myscada.org/version-8-20-0-released-security-update\", \"refsource\": \"CONFIRM\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-22: Path Traversal\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2021-33005\", \"STATE\": \"PUBLIC\", \"TITLE\": \"mySCADA myPRO Path Traversal\", \"ASSIGNER\": \"ics-cert@hq.dhs.gov\", \"DATE_PUBLIC\": \"2021-08-05T21:32:00.000Z\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2021-33005\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-16T16:21:55.101Z\", \"dateReserved\": \"2021-05-13T00:00:00.000Z\", \"assignerOrgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"datePublished\": \"2022-05-13T15:18:40.002Z\", \"assignerShortName\": \"icscert\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GSD-2021-33005

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories.

Aliases

CVE-2021-33005

Aliases

CVE-2021-33005

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-33005",
    "description": "mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories.",
    "id": "GSD-2021-33005"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-33005"
      ],
      "details": "mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories.",
      "id": "GSD-2021-33005",
      "modified": "2023-12-13T01:23:18.296459Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "ics-cert@hq.dhs.gov",
        "DATE_PUBLIC": "2021-08-05T21:32:00.000Z",
        "ID": "CVE-2021-33005",
        "STATE": "PUBLIC",
        "TITLE": "mySCADA myPRO Path Traversal"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "myPRO",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "8.20.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "mySCADA"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "Michael Heinzl reported these vulnerabilities to CISA."
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-22: Path Traversal"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03",
            "refsource": "MISC",
            "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03"
          },
          {
            "name": "https://www.myscada.org/version-8-20-0-released-security-update",
            "refsource": "CONFIRM",
            "url": "https://www.myscada.org/version-8-20-0-released-security-update"
          }
        ]
      },
      "solution": [
        {
          "lang": "eng",
          "value": "mySCADA recommends users apply update v8.20.0 or later. "
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:myscada:mypro:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "8.20.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2021-33005"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-22"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory",
                "US Government Resource"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03"
            },
            {
              "name": "https://www.myscada.org/version-8-20-0-released-security-update",
              "refsource": "CONFIRM",
              "tags": [
                "Release Notes",
                "Vendor Advisory"
              ],
              "url": "https://www.myscada.org/version-8-20-0-released-security-update"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-05-24T20:41Z",
      "publishedDate": "2022-05-13T16:15Z"
    }
  }
}

VAR-202108-2252

Vulnerability from variot - Updated: 2023-12-18 11:02

mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories. mySCADA Provided by the company myPRO The following multiple vulnerabilities exist in. * Inadequate access control ( CWE-284 ) - CVE-2021-33013 ‥ * Unlimited uploads of dangerous types of files ( CWE-434 ) - CVE-2021-33009 ‥ * Past traversal ( CWE-22 ) - CVE-2021-33005 ‥ * Information leakage due to exposure of directory information ( CWE-548 ) - CVE-2021-27505The expected impact depends on each vulnerability, but it may be affected as follows. * Sensitive information about the system can be read by a remote third party - CVE-2021-33013 ‥ * Any file uploaded to the file system by an unauthenticated remote third party - CVE-2021-33009 ‥ * Any file uploaded to any directory by an unauthenticated remote third party - CVE-2021-33005 ‥ * Sensitive directory list information can be read by a remote third party - CVE-2021-27505. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202108-2252",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "mypro",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "myscada",
        "version": "8.20.0"
      },
      {
        "model": "mypro",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "myscada",
        "version": null
      },
      {
        "model": "mypro",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "myscada",
        "version": "v8.20.0  all earlier  s"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-002267"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-33005"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:myscada:mypro:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "8.20.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2021-33005"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Michael Heinzl reported these vulnerabilities to CISA.",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202108-512"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2021-33005",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 10.0,
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "MEDIUM",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 3.9,
            "impactScore": 3.6,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 2.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "OTHER",
            "availabilityImpact": "None",
            "baseScore": 7.5,
            "baseSeverity": "High",
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "JVNDB-2021-002267",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2021-33005",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "ics-cert@hq.dhs.gov",
            "id": "CVE-2021-33005",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "OTHER",
            "id": "JVNDB-2021-002267",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202108-512",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202104-975",
            "trust": 0.6,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-002267"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-33005"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-33005"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202108-512"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-975"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories. mySCADA Provided by the company myPRO The following multiple vulnerabilities exist in. * Inadequate access control ( CWE-284 ) - CVE-2021-33013 \u2025 * Unlimited uploads of dangerous types of files ( CWE-434 ) - CVE-2021-33009 \u2025 * Past traversal ( CWE-22 ) - CVE-2021-33005 \u2025 * Information leakage due to exposure of directory information ( CWE-548 ) - CVE-2021-27505The expected impact depends on each vulnerability, but it may be affected as follows. * Sensitive information about the system can be read by a remote third party - CVE-2021-33013 \u2025 * Any file uploaded to the file system by an unauthenticated remote third party - CVE-2021-33009 \u2025 * Any file uploaded to any directory by an unauthenticated remote third party - CVE-2021-33005 \u2025 * Sensitive directory list information can be read by a remote third party - CVE-2021-27505. Pillow is a Python-based image processing library. \nThere is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2021-33005"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-002267"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-975"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-33005"
      }
    ],
    "trust": 2.25
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "ICS CERT",
        "id": "ICSA-21-217-03",
        "trust": 2.5
      },
      {
        "db": "NVD",
        "id": "CVE-2021-33005",
        "trust": 2.5
      },
      {
        "db": "JVN",
        "id": "JVNVU94730303",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-002267",
        "trust": 0.8
      },
      {
        "db": "CS-HELP",
        "id": "SB2021080605",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2021.2659",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202108-512",
        "trust": 0.6
      },
      {
        "db": "CS-HELP",
        "id": "SB2021041363",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-975",
        "trust": 0.6
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-33005",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2021-33005"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-002267"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-33005"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202108-512"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-975"
      }
    ]
  },
  "id": "VAR-202108-2252",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VARIoT devices database",
        "id": null
      }
    ],
    "trust": 0.37446198
  },
  "last_update_date": "2023-12-18T11:02:11.274000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "VERSION\u00a08.20.0\u00a0RELEASED",
        "trust": 0.8,
        "url": "https://www.myscada.org/version-8-20-0-released-security-update/"
      },
      {
        "title": "mySCADA myPRO Repair measures for path traversal vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=159496"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-002267"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202108-512"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-22",
        "trust": 1.0
      },
      {
        "problemtype": "Path traversal (CWE-22) [ Other ]",
        "trust": 0.8
      },
      {
        "problemtype": " Inappropriate access control (CWE-284) [ Other ]",
        "trust": 0.8
      },
      {
        "problemtype": " Unlimited upload of dangerous types of files (CWE-434) [ Other ]",
        "trust": 0.8
      },
      {
        "problemtype": " Information leakage due to directory listing (CWE-548) [ Other ]",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-002267"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-33005"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 1.7,
        "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03"
      },
      {
        "trust": 1.7,
        "url": "https://www.myscada.org/version-8-20-0-released-security-update"
      },
      {
        "trust": 1.4,
        "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-217-03"
      },
      {
        "trust": 0.8,
        "url": "http://jvn.jp/cert/jvnvu94730303"
      },
      {
        "trust": 0.6,
        "url": "https://cxsecurity.com/cveshow/cve-2021-33005/"
      },
      {
        "trust": 0.6,
        "url": "https://www.cybersecurity-help.cz/vdb/sb2021080605"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2021.2659"
      },
      {
        "trust": 0.6,
        "url": "https://www.cybersecurity-help.cz/vdb/sb2021041363"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/22.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2021-33005"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-002267"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-33005"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202108-512"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-975"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULMON",
        "id": "CVE-2021-33005"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-002267"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-33005"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202108-512"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202104-975"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2022-05-13T00:00:00",
        "db": "VULMON",
        "id": "CVE-2021-33005"
      },
      {
        "date": "2021-08-10T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2021-002267"
      },
      {
        "date": "2022-05-13T16:15:07.950000",
        "db": "NVD",
        "id": "CVE-2021-33005"
      },
      {
        "date": "2021-08-05T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202108-512"
      },
      {
        "date": "2021-04-13T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202104-975"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2022-05-13T00:00:00",
        "db": "VULMON",
        "id": "CVE-2021-33005"
      },
      {
        "date": "2021-08-10T07:19:00",
        "db": "JVNDB",
        "id": "JVNDB-2021-002267"
      },
      {
        "date": "2022-05-24T20:41:52.433000",
        "db": "NVD",
        "id": "CVE-2021-33005"
      },
      {
        "date": "2022-05-25T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202108-512"
      },
      {
        "date": "2021-04-14T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202104-975"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202108-512"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "mySCADA\u00a0 Made \u00a0myPRO\u00a0 Multiple vulnerabilities in",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-002267"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "path traversal",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202108-512"
      }
    ],
    "trust": 0.6
  }
}

GHSA-RR6G-RF3H-GH6X

Vulnerability from github – Published: 2022-05-14 00:01 – Updated: 2022-05-25 00:00

Details

mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-33005"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-13T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories.",
  "id": "GHSA-rr6g-rf3h-gh6x",
  "modified": "2022-05-25T00:00:19Z",
  "published": "2022-05-14T00:01:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33005"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03"
    },
    {
      "type": "WEB",
      "url": "https://www.myscada.org/version-8-20-0-released-security-update"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

ICSA-21-217-03

Vulnerability from csaf_cisa - Published: 2021-08-05 00:00 - Updated: 2021-08-05 00:00

Summary

ICSA-21-217-03_mySCADA myPRO

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Summary

Michael Heinzl reported these vulnerabilities to CISA.

Exploitability

No known public exploits specifically target these vulnerabilities.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Michael Heinzl"
        ],
        "summary": "reporting these vulnerabilities to CISA"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "summary",
        "text": "Michael Heinzl reported these vulnerabilities to CISA.",
        "title": "Summary"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target these vulnerabilities.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "CISAservicedesk@cisa.dhs.gov",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-21-217-03 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2021/icsa-21-217-03.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-21-217-03 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-21-217-03"
      }
    ],
    "title": "ICSA-21-217-03_mySCADA myPRO",
    "tracking": {
      "current_release_date": "2021-08-05T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA USCert CSAF Generator",
          "version": "1"
        }
      },
      "id": "ICSA-21-217-03",
      "initial_release_date": "2021-08-05T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2021-08-05T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSA-21-217-03 mySCADA myPRO"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c 8.20.0",
                "product": {
                  "name": "myPRO: All versions prior to 8.20.0",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "myPRO"
          }
        ],
        "category": "vendor",
        "name": "mySCADA"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-33013",
      "cwe": {
        "id": "CWE-284",
        "name": "Improper Access Control"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected product does not restrict unauthorized read access to sensitive system information.CVE-2021-33013 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "mySCADA recommends users apply update v8.20.0 or later.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://www.myscada.org/version-8-20-0-released-security-update"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ],
      "title": "CVE-2021-33013"
    },
    {
      "cve": "CVE-2021-33009",
      "cwe": {
        "id": "CWE-434",
        "name": "Unrestricted Upload of File with Dangerous Type"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected product allows an unauthenticated remote attacker to upload arbitrary files to the file system.CVE-2021-33009 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "mySCADA recommends users apply update v8.20.0 or later.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://www.myscada.org/version-8-20-0-released-security-update"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ],
      "title": "CVE-2021-33009"
    },
    {
      "cve": "CVE-2021-33005",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected product allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories.CVE-2021-33005 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "mySCADA recommends users apply update v8.20.0 or later.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://www.myscada.org/version-8-20-0-released-security-update"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ],
      "title": "CVE-2021-33005"
    },
    {
      "cve": "CVE-2021-27505",
      "cwe": {
        "id": "CWE-548",
        "name": "Exposure of Information Through Directory Listing"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected product does not restrict unauthorized read access to sensitive directory listing information.CVE-2021-27505 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "mySCADA recommends users apply update v8.20.0 or later.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://www.myscada.org/version-8-20-0-released-security-update"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ],
      "title": "CVE-2021-27505"
    }
  ]
}

FKIE_CVE-2021-33005

Vulnerability from fkie_nvd - Published: 2022-05-13 16:15 - Updated: 2024-11-21 06:08

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories.

References

URL	Tags
ics-cert@hq.dhs.gov	https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03	Third Party Advisory, US Government Resource
ics-cert@hq.dhs.gov	https://www.myscada.org/version-8-20-0-released-security-update	Release Notes, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03	Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	https://www.myscada.org/version-8-20-0-released-security-update	Release Notes, Vendor Advisory

Impacted products

	Vendor	Product	Version
	myscada	mypro	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:myscada:mypro:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1DDCAD9A-0464-4431-AC41-88D4A57354BD",
              "versionEndExcluding": "8.20.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories."
    },
    {
      "lang": "es",
      "value": "mySCADA myPRO versiones anteriores a la 8.20.0, permiten a un atacante remoto no autentificado cargar archivos arbitrarios en directorios arbitrarios"
    }
  ],
  "id": "CVE-2021-33005",
  "lastModified": "2024-11-21T06:08:06.603",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "ics-cert@hq.dhs.gov",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-05-13T16:15:07.950",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://www.myscada.org/version-8-20-0-released-security-update"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://www.myscada.org/version-8-20-0-released-security-update"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "ics-cert@hq.dhs.gov",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-33005 (GCVE-0-2021-33005)

GSD-2021-33005

VAR-202108-2252

GHSA-RR6G-RF3H-GH6X

ICSA-21-217-03

FKIE_CVE-2021-33005

Tags

Sightings

Nomenclature