CVE-2021-42797

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

P

ath traversal vulnerability in AVEVA Edge (formerly InduSoft Web Studio) versions R2020 and prior allows an unauthenticated user to steal the Windows access token of the user account configured for accessing external DB resources.

References

Link	Resource
https://www.aveva.com/en/products/edge/	Product
https://www.cisa.gov/news-events/ics-advisories/icsa-22-326-01	Third Party Advisory US Government Resource
https://www.aveva.com/en/products/edge/	Product
https://www.cisa.gov/news-events/ics-advisories/icsa-22-326-01	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:aveva:edge::::::::
	cpe:2.3:a:aveva:edge:2020:-::::::
	cpe:2.3:a:aveva:edge:2020:r2:-:::::*
	cpe:2.3:a:aveva:edge:2020:r2:sp1:::::*

History

21 Nov 2024, 06:28

Type	Values Removed	Values Added
References	~~() https://www.aveva.com/en/products/edge/ - Product~~	() https://www.aveva.com/en/products/edge/ - Product
References	~~() https://www.cisa.gov/news-events/ics-advisories/icsa-22-326-01 - Third Party Advisory, US Government Resource~~	() https://www.cisa.gov/news-events/ics-advisories/icsa-22-326-01 - Third Party Advisory, US Government Resource

Information

Published : 2023-12-16 01:15

Updated : 2024-11-21 06:28

NVD link : CVE-2021-42797

Mitre link : CVE-2021-42797

CVE.ORG link : CVE-2021-42797

JSON object : View

Products Affected

edge

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2021-42797", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-12-16T01:15:07.587", "references": [{"url": "https://www.aveva.com/en/products/edge/", "tags": ["Product"], "source": "[email protected]"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-326-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "[email protected]"}, {"url": "https://www.aveva.com/en/products/edge/", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-326-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Path traversal vulnerability in AVEVA Edge (formerly InduSoft Web Studio) versions R2020 and prior allows an unauthenticated user to steal the Windows access token of the user account configured for accessing external DB resources."}, {"lang": "es", "value": "Vulnerabilidad de path traversal en las versiones R2020 y anteriores de AVEVA Edge (anteriormente InduSoft Web Studio) permite que un usuario no autenticado robe el token de acceso de Windows de la cuenta de usuario configurada para acceder a recursos de base de datos externos."}], "lastModified": "2024-11-21T06:28:11.290", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:aveva:edge:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1838ED5C-E082-4087-A55D-8038A308510C", "versionEndExcluding": "2020"}, {"criteria": "cpe:2.3:a:aveva:edge:2020:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AF8F7975-0BF0-446E-A33C-306D9045BE5D"}, {"criteria": "cpe:2.3:a:aveva:edge:2020:r2:-:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F6A6358A-9F55-452A-8378-5BF05473EDFA"}, {"criteria": "cpe:2.3:a:aveva:edge:2020:r2:sp1:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D5080C65-4773-4AF2-B385-9FD02BAD5237"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}