VAR-202107-1664
Vulnerability from variot - Updated: 2023-12-18 11:52AVEVA System Platform versions 2017 through 2020 R2 P01 does not properly verify that the source of data or communication is valid. AVEVA Provided by the company AVEVA System Platform The following multiple vulnerabilities exist in. * Lack of authentication for important features (CWE-306) - CVE-2021-33008 ‥ * Problems not handling exceptions (CWE-248) - CVE-2021-33010 ‥ * Path traversal (CWE-22) - CVE-2021-32981 ‥ * Same-origin policy violation (CWE-346) - CVE-2021-32985 ‥ * Improper verification of digital signatures (CWE-347) - CVE-2021-32977The expected impact depends on each vulnerability, but it may be affected as follows. * Arbitrary code execution with system privileges by a third party on the adjacent network - CVE-2021-33008 ‥ * Service operation obstruction by a remote third party (DoS) Be in a state - CVE-2021-33010 ‥ * The input value that specifies a file or directory under the access-restricted directory is not properly processed, so it is accessed outside the access-restricted directory by a remote third party. A responsive, standards-driven and scalable foundation for regulatory, enterprise SCADA, MES and IIoT applications. No detailed vulnerability details are currently available
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202107-1664",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "system platform",
"scope": "lt",
"trust": 1.0,
"vendor": "aveva",
"version": "2020"
},
{
"model": "system platform",
"scope": "eq",
"trust": 1.0,
"vendor": "aveva",
"version": "2020"
},
{
"model": "system platform",
"scope": "gte",
"trust": 1.0,
"vendor": "aveva",
"version": "2017"
},
{
"model": "system platform",
"scope": "lte",
"trust": 0.8,
"vendor": "aveva",
"version": "2017 from 2020 r2 p01 until"
},
{
"model": "system platform",
"scope": "eq",
"trust": 0.8,
"vendor": "aveva",
"version": null
},
{
"model": "system platform r2 p01",
"scope": "gte",
"trust": 0.6,
"vendor": "aveva",
"version": "2017,\u003c=2020"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-102839"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-001897"
},
{
"db": "NVD",
"id": "CVE-2021-32985"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:aveva:system_platform:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2020",
"versionStartIncluding": "2017",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:aveva:system_platform:2020:-:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:aveva:system_platform:2020:r2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:aveva:system_platform:2020:r2_p01:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-32985"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Sharon Brizinov of Claroty reported these vulnerabilities to AVEVA.",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202107-2080"
}
],
"trust": 0.6
},
"cve": "CVE-2021-32985",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2021-102839",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"trust": 2.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "IPA",
"availabilityImpact": "High",
"baseScore": 7.2,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2021-001897",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "High",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2021-32985",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "ics-cert@hq.dhs.gov",
"id": "CVE-2021-32985",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "IPA",
"id": "JVNDB-2021-001897",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2021-102839",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202107-2080",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-102839"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-001897"
},
{
"db": "NVD",
"id": "CVE-2021-32985"
},
{
"db": "NVD",
"id": "CVE-2021-32985"
},
{
"db": "CNNVD",
"id": "CNNVD-202107-2080"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "AVEVA System Platform versions 2017 through 2020 R2 P01 does not properly verify that the source of data or communication is valid. AVEVA Provided by the company AVEVA System Platform The following multiple vulnerabilities exist in. * Lack of authentication for important features (CWE-306) - CVE-2021-33008 \u2025 * Problems not handling exceptions (CWE-248) - CVE-2021-33010 \u2025 * Path traversal (CWE-22) - CVE-2021-32981 \u2025 * Same-origin policy violation (CWE-346) - CVE-2021-32985 \u2025 * Improper verification of digital signatures (CWE-347) - CVE-2021-32977The expected impact depends on each vulnerability, but it may be affected as follows. * Arbitrary code execution with system privileges by a third party on the adjacent network - CVE-2021-33008 \u2025 * Service operation obstruction by a remote third party (DoS) Be in a state - CVE-2021-33010 \u2025 * The input value that specifies a file or directory under the access-restricted directory is not properly processed, so it is accessed outside the access-restricted directory by a remote third party. A responsive, standards-driven and scalable foundation for regulatory, enterprise SCADA, MES and IIoT applications. No detailed vulnerability details are currently available",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-32985"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-001897"
},
{
"db": "CNVD",
"id": "CNVD-2021-102839"
},
{
"db": "CNNVD",
"id": "CNNVD-202107-2080"
}
],
"trust": 2.7
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-32985",
"trust": 3.0
},
{
"db": "ICS CERT",
"id": "ICSA-21-180-05",
"trust": 3.0
},
{
"db": "JVN",
"id": "JVNVU90207343",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2021-001897",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2021-102839",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.2281.2",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202107-2080",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-102839"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-001897"
},
{
"db": "NVD",
"id": "CVE-2021-32985"
},
{
"db": "CNNVD",
"id": "CNNVD-202107-2080"
}
]
},
"id": "VAR-202107-1664",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-102839"
}
],
"trust": 0.83076923
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-102839"
}
]
},
"last_update_date": "2023-12-18T11:52:58.839000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "SECURITY\u00a0BULLETIN\u00a0AVEVA-2021-002",
"trust": 0.8,
"url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/securitybulletin_aveva-2021-002.pdf"
},
{
"title": "Patch for AVEVA System Platform Access Control Error Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/310976"
},
{
"title": "AVEVA System Platform Fixes for access control error vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=157925"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-102839"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-001897"
},
{
"db": "CNNVD",
"id": "CNNVD-202107-2080"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-346",
"trust": 1.0
},
{
"problemtype": "Uncaught exception (CWE-248) [IPA Evaluation ]",
"trust": 0.8
},
{
"problemtype": " Lack of authentication for important features (CWE-306) [IPA Evaluation ]",
"trust": 0.8
},
{
"problemtype": " Path traversal (CWE-22) [IPA Evaluation ]",
"trust": 0.8
},
{
"problemtype": " Same-origin policy violation (CWE-346) [IPA Evaluation ]",
"trust": 0.8
},
{
"problemtype": " Improper verification of digital signatures (CWE-347) [IPA Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-001897"
},
{
"db": "NVD",
"id": "CVE-2021-32985"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.0,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-180-05"
},
{
"trust": 1.6,
"url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/securitybulletin_aveva-2021-002.pdf"
},
{
"trust": 1.6,
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-180-05"
},
{
"trust": 0.8,
"url": "http://jvn.jp/cert/jvnvu90207343"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.2281.2"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2021-32985/"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-102839"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-001897"
},
{
"db": "NVD",
"id": "CVE-2021-32985"
},
{
"db": "CNNVD",
"id": "CNNVD-202107-2080"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2021-102839"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-001897"
},
{
"db": "NVD",
"id": "CVE-2021-32985"
},
{
"db": "CNNVD",
"id": "CNNVD-202107-2080"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-12-28T00:00:00",
"db": "CNVD",
"id": "CNVD-2021-102839"
},
{
"date": "2021-07-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-001897"
},
{
"date": "2022-04-04T20:15:09.150000",
"db": "NVD",
"id": "CVE-2021-32985"
},
{
"date": "2021-07-27T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202107-2080"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-18T00:00:00",
"db": "CNVD",
"id": "CNVD-2021-102839"
},
{
"date": "2021-07-30T09:35:00",
"db": "JVNDB",
"id": "JVNDB-2021-001897"
},
{
"date": "2022-04-13T12:49:59.053000",
"db": "NVD",
"id": "CVE-2021-32985"
},
{
"date": "2022-04-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202107-2080"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202107-2080"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "AVEVA System Platform Access Control Error Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-102839"
},
{
"db": "CNNVD",
"id": "CNNVD-202107-2080"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "access control error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202107-2080"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…