Common Weakness Enumeration

CWE-476

Allowed

NULL Pointer Dereference

Abstraction: Base · Status: Stable

The product dereferences a pointer that it expects to be valid but is NULL.

6310 vulnerabilities reference this CWE, most recent first.

CVE-2021-33714 (GCVE-0-2021-33714)

Vulnerability from cvelistv5 – Published: 2021-07-13 11:03 – Updated: 2024-08-03 23:58
VLAI
Summary
A vulnerability has been identified in JT Utilities (All versions < V13.0.2.0). When parsing specially crafted JT files, a missing check for the validity of an iterator leads to NULL pointer deference condition, causing the application to crash. An attacker could leverage this vulnerability to cause a Denial-of-Service condition in the application.
Severity
No CVSS data available.
CWE
  • CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
Vendor Product Version
Siemens JT Utilities Affected: All versions < V13.0.2.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:58:22.579Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-209268.pdf"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "JT Utilities",
          "vendor": "Siemens",
          "versions": [
            {
              "status": "affected",
              "version": "All versions \u003c V13.0.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been identified in JT Utilities (All versions \u003c V13.0.2.0). When parsing specially crafted JT files, a missing check for the validity of an iterator leads to NULL pointer deference condition, causing the application to crash. An attacker could leverage this vulnerability to cause a Denial-of-Service condition in the application."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476: NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-13T11:03:04.000Z",
        "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
        "shortName": "siemens"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-209268.pdf"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "productcert@siemens.com",
          "ID": "CVE-2021-33714",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "JT Utilities",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions \u003c V13.0.2.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Siemens"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability has been identified in JT Utilities (All versions \u003c V13.0.2.0). When parsing specially crafted JT files, a missing check for the validity of an iterator leads to NULL pointer deference condition, causing the application to crash. An attacker could leverage this vulnerability to cause a Denial-of-Service condition in the application."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-476: NULL Pointer Dereference"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-209268.pdf",
              "refsource": "MISC",
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-209268.pdf"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
    "assignerShortName": "siemens",
    "cveId": "CVE-2021-33714",
    "datePublished": "2021-07-13T11:03:04.000Z",
    "dateReserved": "2021-05-28T00:00:00.000Z",
    "dateUpdated": "2024-08-03T23:58:22.579Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-33630 (GCVE-0-2021-33630)

Vulnerability from cvelistv5 – Published: 2024-01-18 15:00 – Updated: 2025-05-07 20:14
VLAI
Title
NULL-ptr-deref in network sched
Summary
NULL Pointer Dereference vulnerability in openEuler kernel on Linux (network modules) allows Pointer Manipulation. This vulnerability is associated with program files net/sched/sch_cbs.C. This issue affects openEuler kernel: from 4.19.90 before 4.19.90-2401.3.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-476 - NULL Pointer Dereference
Assigner
Impacted products
Vendor Product Version
openEuler kernel Affected: 4.19.90 , < 4.19.90-2401.3 (git)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:58:21.572Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1030"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1031"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://gitee.com/src-openeuler/kernel/pulls/1389"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3e8b9bfa110896f95d602d8c98d5f9d67e41d78c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/01/30/3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/01/30/4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/01/30/5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/01/30/9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/01/30/10"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/01/31/3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/01/31/2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/02/02/6"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/02/02/9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/02/03/1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-33630",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-07T20:14:40.648453Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-07T20:14:53.453Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://gitee.com/src-openeuler",
          "defaultStatus": "unaffected",
          "modules": [
            "network"
          ],
          "packageName": "kernel",
          "platforms": [
            "Linux"
          ],
          "product": "kernel",
          "programFiles": [
            "https://gitee.com/openeuler/kernel/blob/openEuler-1.0-LTS/net/sched/sch_cbs.c"
          ],
          "repo": "https://gitee.com/src-openeuler/kernel",
          "vendor": "openEuler",
          "versions": [
            {
              "changes": [
                {
                  "at": "b2239f607df25fc401179e6dd4b7406f942a7632 net/sched: cbs: Fix not adding cbs instance to list",
                  "status": "unaffected"
                }
              ],
              "lessThan": "4.19.90-2401.3",
              "status": "affected",
              "version": "4.19.90",
              "versionType": "git"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "NULL Pointer Dereference vulnerability in openEuler kernel on Linux (network modules) allows Pointer Manipulation.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003enet/sched/sch_cbs.C\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects openEuler kernel: from 4.19.90 before 4.19.90-2401.3.\u003c/p\u003e"
            }
          ],
          "value": "NULL Pointer Dereference vulnerability in openEuler kernel on Linux (network modules) allows Pointer Manipulation. This vulnerability is associated with program files net/sched/sch_cbs.C.\n\nThis issue affects openEuler kernel: from 4.19.90 before 4.19.90-2401.3."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-129",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-129 Pointer Manipulation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476 NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-27T12:09:01.557Z",
        "orgId": "7e1ac599-2767-43fa-b3ea-f10178cc98f2",
        "shortName": "openEuler"
      },
      "references": [
        {
          "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1030"
        },
        {
          "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1031"
        },
        {
          "url": "https://gitee.com/src-openeuler/kernel/pulls/1389"
        },
        {
          "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3e8b9bfa110896f95d602d8c98d5f9d67e41d78c"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/01/30/3"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/01/30/4"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/01/30/5"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/01/30/9"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/01/30/10"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/01/31/3"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/01/31/2"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/02/02/6"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/02/02/9"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/02/03/1"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "NULL-ptr-deref in network sched",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7e1ac599-2767-43fa-b3ea-f10178cc98f2",
    "assignerShortName": "openEuler",
    "cveId": "CVE-2021-33630",
    "datePublished": "2024-01-18T15:00:49.312Z",
    "dateReserved": "2021-05-28T14:26:05.940Z",
    "dateUpdated": "2025-05-07T20:14:53.453Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-33572 (GCVE-0-2021-33572)

Vulnerability from cvelistv5 – Published: 2021-06-21 11:10 – Updated: 2024-09-16 23:52
VLAI
Title
Denial-of-Service (DoS) Vulnerability
Summary
A Denial-of-Service (DoS) vulnerability was discovered in F-Secure Linux Security whereby the FSAVD component used in certain F-Secure products can crash while scanning larger packages/fuzzed files. The exploit can be triggered remotely by an attacker. A successful attack will result in Denial-of-Service (DoS) of the Anti-Virus engine.
CWE
  • CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
Vendor Product Version
F-Secure F-Secure Products Affected: All Version
Create a notification for this product.
Date Public
2021-06-03 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:50:43.030Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x86 \u0026 x64"
          ],
          "product": "F-Secure Products",
          "vendor": "F-Secure",
          "versions": [
            {
              "status": "affected",
              "version": "All Version"
            }
          ]
        }
      ],
      "datePublic": "2021-06-03T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A Denial-of-Service (DoS) vulnerability was discovered in F-Secure Linux Security whereby the FSAVD component used in certain F-Secure products can crash while scanning larger packages/fuzzed files. The exploit can be triggered remotely by an attacker. A successful attack will result in Denial-of-Service (DoS) of the Anti-Virus engine."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476 NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-06-21T11:10:32.000Z",
        "orgId": "126858f1-1b65-4b74-81ca-7034f7f7723f",
        "shortName": "F-SecureUS"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "FIX - No User action is required. The required fix has been published through automatic update channel with Capricorn update 2021-04-29_07"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Denial-of-Service (DoS) Vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve-notifications-us@f-secure.com",
          "DATE_PUBLIC": "2021-06-03T08:00:00.000Z",
          "ID": "CVE-2021-33572",
          "STATE": "PUBLIC",
          "TITLE": "Denial-of-Service (DoS) Vulnerability"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "F-Secure Products",
                      "version": {
                        "version_data": [
                          {
                            "platform": "x86 \u0026 x64",
                            "version_value": "All Version"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "F-Secure"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A Denial-of-Service (DoS) vulnerability was discovered in F-Secure Linux Security whereby the FSAVD component used in certain F-Secure products can crash while scanning larger packages/fuzzed files. The exploit can be triggered remotely by an attacker. A successful attack will result in Denial-of-Service (DoS) of the Anti-Virus engine."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-476 NULL Pointer Dereference"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame",
              "refsource": "MISC",
              "url": "https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame"
            },
            {
              "name": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories",
              "refsource": "MISC",
              "url": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "FIX - No User action is required. The required fix has been published through automatic update channel with Capricorn update 2021-04-29_07"
          }
        ],
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "126858f1-1b65-4b74-81ca-7034f7f7723f",
    "assignerShortName": "F-SecureUS",
    "cveId": "CVE-2021-33572",
    "datePublished": "2021-06-21T11:10:32.776Z",
    "dateReserved": "2021-05-25T00:00:00.000Z",
    "dateUpdated": "2024-09-16T23:52:06.428Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-32987 (GCVE-0-2021-32987)

Vulnerability from cvelistv5 – Published: 2021-09-23 13:33 – Updated: 2024-09-16 23:40
VLAI
Title
AVEVA SuiteLink Server Null Pointer Dereference
Summary
Null pointer dereference in SuiteLink server while processing command 0x0b
CWE
  • CWE-476 - NULL Pointer Dereference
Assigner
References
Date Public
2021-08-19 00:00
Credits
Sharon Brizinov of Claroty reported these vulnerabilities to AVEVA
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:42:19.256Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-003.pdf"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVEVA System Platform 2020",
          "vendor": "AVEVA Software, LLC",
          "versions": [
            {
              "lessThanOrEqual": "R2 P01",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "AVEVA InTouch 2020",
          "vendor": "AVEVA Software, LLC",
          "versions": [
            {
              "lessThanOrEqual": "R2 P01",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "AVEVA Historian 2020",
          "vendor": "AVEVA Software, LLC",
          "versions": [
            {
              "lessThanOrEqual": "R2 P01",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "AVEVA Communication Drivers Pack 2020",
          "vendor": "AVEVA Software, LLC",
          "versions": [
            {
              "lessThanOrEqual": "R2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "AVEVA Batch Management 2020",
          "vendor": "AVEVA Software, LLC",
          "versions": [
            {
              "lessThanOrEqual": "2020",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "AVEVA MES 2014",
          "vendor": "AVEVA Software, LLC",
          "versions": [
            {
              "lessThanOrEqual": "R2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Sharon Brizinov of Claroty reported these vulnerabilities to AVEVA"
        }
      ],
      "datePublic": "2021-08-19T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Null pointer dereference in SuiteLink server while processing command 0x0b"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476 NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-09-23T13:33:22.000Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-003.pdf"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "AVEVA recommends organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.\n\nUsers with affected versions of these products should apply the corresponding security update. Note a subset of the updates requires activation-based licensing.\n\nPlease see AVEVA security bulletin AVEVA-2021-003 for more information."
        }
      ],
      "source": {
        "advisory": "ICSA-21-231-01",
        "discovery": "UNKNOWN"
      },
      "title": "AVEVA SuiteLink Server Null Pointer Dereference",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "DATE_PUBLIC": "2021-08-19T15:00:00.000Z",
          "ID": "CVE-2021-32987",
          "STATE": "PUBLIC",
          "TITLE": "AVEVA SuiteLink Server Null Pointer Dereference"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "AVEVA System Platform 2020",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "R2 P01"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "AVEVA InTouch 2020",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "R2 P01"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "AVEVA Historian 2020",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "R2 P01"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "AVEVA Communication Drivers Pack 2020",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "R2"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "AVEVA Batch Management 2020",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "2020"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "AVEVA MES 2014",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "R2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "AVEVA Software, LLC"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Sharon Brizinov of Claroty reported these vulnerabilities to AVEVA"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Null pointer dereference in SuiteLink server while processing command 0x0b"
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-476 NULL Pointer Dereference"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-003.pdf",
              "refsource": "CONFIRM",
              "url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-003.pdf"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "AVEVA recommends organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.\n\nUsers with affected versions of these products should apply the corresponding security update. Note a subset of the updates requires activation-based licensing.\n\nPlease see AVEVA security bulletin AVEVA-2021-003 for more information."
          }
        ],
        "source": {
          "advisory": "ICSA-21-231-01",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2021-32987",
    "datePublished": "2021-09-23T13:33:22.051Z",
    "dateReserved": "2021-05-13T00:00:00.000Z",
    "dateUpdated": "2024-09-16T23:40:40.062Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-32979 (GCVE-0-2021-32979)

Vulnerability from cvelistv5 – Published: 2021-09-23 13:32 – Updated: 2024-09-16 20:51
VLAI
Title
AVEVA SuiteLink Server Null Pointer Dereference
Summary
Null pointer dereference in SuiteLink server while processing commands 0x04/0x0a
CWE
  • CWE-476 - NULL Pointer Dereference
Assigner
References
Date Public
2021-08-19 00:00
Credits
Sharon Brizinov of Claroty reported these vulnerabilities to AVEVA
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:33:56.032Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-003.pdf"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVEVA System Platform 2020",
          "vendor": "AVEVA Software, LLC",
          "versions": [
            {
              "lessThanOrEqual": "R2 P01",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "AVEVA InTouch 2020",
          "vendor": "AVEVA Software, LLC",
          "versions": [
            {
              "lessThanOrEqual": "R2 P01",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "AVEVA Historian 2020",
          "vendor": "AVEVA Software, LLC",
          "versions": [
            {
              "lessThanOrEqual": "R2 P01",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "AVEVA Communication Drivers Pack 2020",
          "vendor": "AVEVA Software, LLC",
          "versions": [
            {
              "lessThanOrEqual": "R2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "AVEVA Batch Management 2020",
          "vendor": "AVEVA Software, LLC",
          "versions": [
            {
              "lessThanOrEqual": "2020",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "AVEVA MES 2014",
          "vendor": "AVEVA Software, LLC",
          "versions": [
            {
              "lessThanOrEqual": "R2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Sharon Brizinov of Claroty reported these vulnerabilities to AVEVA"
        }
      ],
      "datePublic": "2021-08-19T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Null pointer dereference in SuiteLink server while processing commands 0x04/0x0a"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476 NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-09-23T13:32:59.000Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-003.pdf"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "AVEVA recommends organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.\n\nUsers with affected versions of these products should apply the corresponding security update. Note a subset of the updates requires activation-based licensing.\n\nPlease see AVEVA security bulletin AVEVA-2021-003 for more information."
        }
      ],
      "source": {
        "advisory": "ICSA-21-231-01",
        "discovery": "UNKNOWN"
      },
      "title": "AVEVA SuiteLink Server Null Pointer Dereference",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "DATE_PUBLIC": "2021-08-19T15:00:00.000Z",
          "ID": "CVE-2021-32979",
          "STATE": "PUBLIC",
          "TITLE": "AVEVA SuiteLink Server Null Pointer Dereference"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "AVEVA System Platform 2020",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "R2 P01"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "AVEVA InTouch 2020",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "R2 P01"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "AVEVA Historian 2020",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "R2 P01"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "AVEVA Communication Drivers Pack 2020",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "R2"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "AVEVA Batch Management 2020",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "2020"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "AVEVA MES 2014",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "R2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "AVEVA Software, LLC"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Sharon Brizinov of Claroty reported these vulnerabilities to AVEVA"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Null pointer dereference in SuiteLink server while processing commands 0x04/0x0a"
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-476 NULL Pointer Dereference"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-003.pdf",
              "refsource": "CONFIRM",
              "url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-003.pdf"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "AVEVA recommends organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.\n\nUsers with affected versions of these products should apply the corresponding security update. Note a subset of the updates requires activation-based licensing.\n\nPlease see AVEVA security bulletin AVEVA-2021-003 for more information."
          }
        ],
        "source": {
          "advisory": "ICSA-21-231-01",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2021-32979",
    "datePublished": "2021-09-23T13:32:59.908Z",
    "dateReserved": "2021-05-13T00:00:00.000Z",
    "dateUpdated": "2024-09-16T20:51:41.561Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-32971 (GCVE-0-2021-32971)

Vulnerability from cvelistv5 – Published: 2021-09-23 13:32 – Updated: 2024-09-17 01:06
VLAI
Title
AVEVA SuiteLink Server Null Pointer Dereference
Summary
Null pointer dereference in SuiteLink server while processing command 0x07
CWE
  • CWE-476 - NULL Pointer Dereference
Assigner
References
Date Public
2021-08-19 00:00
Credits
Sharon Brizinov of Claroty reported these vulnerabilities to AVEVA
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:33:56.111Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-003.pdf"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVEVA System Platform 2020",
          "vendor": "AVEVA Software, LLC",
          "versions": [
            {
              "lessThanOrEqual": "R2 P01",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "AVEVA InTouch 2020",
          "vendor": "AVEVA Software, LLC",
          "versions": [
            {
              "lessThanOrEqual": "R2 P01",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "AVEVA Historian 2020",
          "vendor": "AVEVA Software, LLC",
          "versions": [
            {
              "lessThanOrEqual": "R2 P01",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "AVEVA Communication Drivers Pack 2020",
          "vendor": "AVEVA Software, LLC",
          "versions": [
            {
              "lessThanOrEqual": "R2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "AVEVA Batch Management 2020",
          "vendor": "AVEVA Software, LLC",
          "versions": [
            {
              "lessThanOrEqual": "2020",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "AVEVA MES 2014",
          "vendor": "AVEVA Software, LLC",
          "versions": [
            {
              "lessThanOrEqual": "R2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Sharon Brizinov of Claroty reported these vulnerabilities to AVEVA"
        }
      ],
      "datePublic": "2021-08-19T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Null pointer dereference in SuiteLink server while processing command 0x07"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476 NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-09-23T13:32:53.000Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-003.pdf"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "AVEVA recommends organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.\n\nUsers with affected versions of these products should apply the corresponding security update. Note a subset of the updates requires activation-based licensing.\n\nPlease see AVEVA security bulletin AVEVA-2021-003 for more information."
        }
      ],
      "source": {
        "advisory": "ICSA-21-231-01",
        "discovery": "UNKNOWN"
      },
      "title": "AVEVA SuiteLink Server Null Pointer Dereference",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "DATE_PUBLIC": "2021-08-19T15:00:00.000Z",
          "ID": "CVE-2021-32971",
          "STATE": "PUBLIC",
          "TITLE": "AVEVA SuiteLink Server Null Pointer Dereference"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "AVEVA System Platform 2020",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "R2 P01"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "AVEVA InTouch 2020",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "R2 P01"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "AVEVA Historian 2020",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "R2 P01"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "AVEVA Communication Drivers Pack 2020",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "R2"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "AVEVA Batch Management 2020",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "2020"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "AVEVA MES 2014",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "R2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "AVEVA Software, LLC"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Sharon Brizinov of Claroty reported these vulnerabilities to AVEVA"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Null pointer dereference in SuiteLink server while processing command 0x07"
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-476 NULL Pointer Dereference"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-003.pdf",
              "refsource": "CONFIRM",
              "url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-003.pdf"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "AVEVA recommends organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.\n\nUsers with affected versions of these products should apply the corresponding security update. Note a subset of the updates requires activation-based licensing.\n\nPlease see AVEVA security bulletin AVEVA-2021-003 for more information."
          }
        ],
        "source": {
          "advisory": "ICSA-21-231-01",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2021-32971",
    "datePublished": "2021-09-23T13:32:53.186Z",
    "dateReserved": "2021-05-13T00:00:00.000Z",
    "dateUpdated": "2024-09-17T01:06:37.736Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-32963 (GCVE-0-2021-32963)

Vulnerability from cvelistv5 – Published: 2021-09-23 13:32 – Updated: 2024-09-17 01:20
VLAI
Title
AVEVA SuiteLink Server Null Pointer Dereference
Summary
Null pointer dereference in SuiteLink server while processing commands 0x03/0x10
CWE
  • CWE-476 - NULL Pointer Dereference
Assigner
References
Date Public
2021-08-19 00:00
Credits
Sharon Brizinov of Claroty reported these vulnerabilities to AVEVA
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:33:56.205Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-003.pdf"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVEVA System Platform 2020",
          "vendor": "AVEVA Software, LLC",
          "versions": [
            {
              "lessThanOrEqual": "R2 P01",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "AVEVA InTouch 2020",
          "vendor": "AVEVA Software, LLC",
          "versions": [
            {
              "lessThanOrEqual": "R2 P01",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "AVEVA Historian 2020",
          "vendor": "AVEVA Software, LLC",
          "versions": [
            {
              "lessThanOrEqual": "R2 P01",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "AVEVA Communication Drivers Pack 2020",
          "vendor": "AVEVA Software, LLC",
          "versions": [
            {
              "lessThanOrEqual": "R2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "AVEVA Batch Management 2020",
          "vendor": "AVEVA Software, LLC",
          "versions": [
            {
              "lessThanOrEqual": "2020",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "AVEVA MES 2014",
          "vendor": "AVEVA Software, LLC",
          "versions": [
            {
              "lessThanOrEqual": "R2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Sharon Brizinov of Claroty reported these vulnerabilities to AVEVA"
        }
      ],
      "datePublic": "2021-08-19T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Null pointer dereference in SuiteLink server while processing commands 0x03/0x10"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476 NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-09-23T13:32:36.000Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-003.pdf"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "AVEVA recommends organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.\n\nUsers with affected versions of these products should apply the corresponding security update. Note a subset of the updates requires activation-based licensing.\n\nPlease see AVEVA security bulletin AVEVA-2021-003 for more information."
        }
      ],
      "source": {
        "advisory": "ICSA-21-231-01",
        "discovery": "UNKNOWN"
      },
      "title": "AVEVA SuiteLink Server Null Pointer Dereference",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "DATE_PUBLIC": "2021-08-19T15:00:00.000Z",
          "ID": "CVE-2021-32963",
          "STATE": "PUBLIC",
          "TITLE": "AVEVA SuiteLink Server Null Pointer Dereference"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "AVEVA System Platform 2020",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "R2 P01"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "AVEVA InTouch 2020",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "R2 P01"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "AVEVA Historian 2020",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "R2 P01"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "AVEVA Communication Drivers Pack 2020",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "R2"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "AVEVA Batch Management 2020",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "2020"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "AVEVA MES 2014",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "R2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "AVEVA Software, LLC"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Sharon Brizinov of Claroty reported these vulnerabilities to AVEVA"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Null pointer dereference in SuiteLink server while processing commands 0x03/0x10"
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-476 NULL Pointer Dereference"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-003.pdf",
              "refsource": "CONFIRM",
              "url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-003.pdf"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "AVEVA recommends organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.\n\nUsers with affected versions of these products should apply the corresponding security update. Note a subset of the updates requires activation-based licensing.\n\nPlease see AVEVA security bulletin AVEVA-2021-003 for more information."
          }
        ],
        "source": {
          "advisory": "ICSA-21-231-01",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2021-32963",
    "datePublished": "2021-09-23T13:32:36.770Z",
    "dateReserved": "2021-05-13T00:00:00.000Z",
    "dateUpdated": "2024-09-17T01:20:36.097Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-32844 (GCVE-0-2021-32844)

Vulnerability from cvelistv5 – Published: 2023-02-17 00:00 – Updated: 2025-03-10 21:10
VLAI
Summary
HyperKit is a toolkit for embedding hypervisor capabilities in an application. In versions 0.20210107 and prior of HyperKit, ` vi_pci_write` has is a call to `vc_cfgwrite` that does not check for null which when called makes the host crash. This issue may lead to a guest crashing the host causing a denial of service. This issue is fixed in commit 451558fe8aaa8b24e02e34106e3bb9fe41d7ad13.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-476 - NULL Pointer Dereference
Assigner
Impacted products
Vendor Product Version
moby hyperkit Affected: 0.20210107 , ≤ 0.20210107 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:33:55.842Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://securitylab.github.com/advisories/GHSL-2021-054_057-moby-hyperkit/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/moby/hyperkit/pull/313"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/moby/hyperkit/commit/451558fe8aaa8b24e02e34106e3bb9fe41d7ad13"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-32844",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-10T20:57:25.626236Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-10T21:10:00.269Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "hyperkit",
          "vendor": "moby",
          "versions": [
            {
              "lessThanOrEqual": "0.20210107",
              "status": "affected",
              "version": "0.20210107",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "HyperKit is a toolkit for embedding hypervisor capabilities in an application. In versions 0.20210107 and prior of HyperKit, ` vi_pci_write` has is a call to `vc_cfgwrite` that does not check for null which when called makes the host crash. This issue may lead to a guest crashing the host causing a denial of service. This issue is fixed in commit 451558fe8aaa8b24e02e34106e3bb9fe41d7ad13."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476 NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-02-17T00:00:00.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://securitylab.github.com/advisories/GHSL-2021-054_057-moby-hyperkit/"
        },
        {
          "url": "https://github.com/moby/hyperkit/pull/313"
        },
        {
          "url": "https://github.com/moby/hyperkit/commit/451558fe8aaa8b24e02e34106e3bb9fe41d7ad13"
        }
      ],
      "source": {
        "advisory": "GHSL-2021-055",
        "defect": [
          "GHSL-2021-055"
        ],
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-32844",
    "datePublished": "2023-02-17T00:00:00.000Z",
    "dateReserved": "2021-05-12T00:00:00.000Z",
    "dateUpdated": "2025-03-10T21:10:00.269Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-32843 (GCVE-0-2021-32843)

Vulnerability from cvelistv5 – Published: 2023-02-17 00:00 – Updated: 2025-03-10 21:10
VLAI
Summary
HyperKit is a toolkit for embedding hypervisor capabilities in an application. In versions 0.20210107 and prior of HyperKit, `virtio.c` has is a call to `vc_cfgread` that does not check for null which when called makes the host crash. This issue may lead to a guest crashing the host causing a denial of service. This issue is fixed in commit df0e46c7dbfd81a957d85e449ba41b52f6f7beb4.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-476 - NULL Pointer Dereference
Assigner
Impacted products
Vendor Product Version
moby hyperkit Affected: 0.20210107 , ≤ 0.20210107 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:33:56.083Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://securitylab.github.com/advisories/GHSL-2021-054_057-moby-hyperkit/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/moby/hyperkit/pull/313"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/moby/hyperkit/commit/df0e46c7dbfd81a957d85e449ba41b52f6f7beb4"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-32843",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-10T20:57:28.101100Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-10T21:10:07.604Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "hyperkit",
          "vendor": "moby",
          "versions": [
            {
              "lessThanOrEqual": "0.20210107",
              "status": "affected",
              "version": "0.20210107",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "HyperKit is a toolkit for embedding hypervisor capabilities in an application. In versions 0.20210107 and prior of HyperKit, `virtio.c` has is a call to `vc_cfgread` that does not check for null which when called makes the host crash. This issue may lead to a guest crashing the host causing a denial of service. This issue is fixed in commit df0e46c7dbfd81a957d85e449ba41b52f6f7beb4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476 NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-02-17T00:00:00.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://securitylab.github.com/advisories/GHSL-2021-054_057-moby-hyperkit/"
        },
        {
          "url": "https://github.com/moby/hyperkit/pull/313"
        },
        {
          "url": "https://github.com/moby/hyperkit/commit/df0e46c7dbfd81a957d85e449ba41b52f6f7beb4"
        }
      ],
      "source": {
        "advisory": "GHSL-2021-054",
        "defect": [
          "GHSL-2021-054"
        ],
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-32843",
    "datePublished": "2023-02-17T00:00:00.000Z",
    "dateReserved": "2021-05-12T00:00:00.000Z",
    "dateUpdated": "2025-03-10T21:10:07.604Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-31618 (GCVE-0-2021-31618)

Vulnerability from cvelistv5 – Published: 2021-06-15 00:00 – Updated: 2024-08-03 23:03
VLAI
Title
NULL pointer dereference on specially crafted HTTP/2 request
Summary
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why the request was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the offending header was the very first one received or appeared in a a footer. This led to a NULL pointer dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2 request is easy to craft and submit, this can be exploited to DoS the server. This issue affected mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never released.
Severity
No CVSS data available.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-476 - NULL Pointer Dereference
Assigner
Impacted products
Credits
Apache HTTP server would like to thank LI ZHI XIN from NSFocus for reporting this.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-31618",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-20T16:18:33.082195Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:12:39.340Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:03:33.651Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://httpd.apache.org/security/vulnerabilities_24.html"
          },
          {
            "name": "[oss-security] 20210609 CVE-2021-31618: Apache httpd: NULL pointer dereference on specially crafted HTTP/2 request",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/06/10/9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://seclists.org/oss-sec/2021/q2/206"
          },
          {
            "name": "[httpd-cvs] 20210615 svn commit: r1890801 - /httpd/site/trunk/content/security/json/CVE-2021-31618.json",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r14b66ef0f4f569fd515a3f96cd4eb58bd9a8ff525cc326bb0359664f%40%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20210615 svn commit: r1075782 - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_24.html",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r783b6558abf3305b17ea462bed4bd66d82866438999bf38cef6d11d1%40%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "FEDORA-2021-051639aad4",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2NKJ3ZA3FTSZ2QBBPKS6BYGAWYRABNQQ/"
          },
          {
            "name": "FEDORA-2021-181f29c392",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A73QJ4HPUMU26I6EULG6SCK67TUEXZYR/"
          },
          {
            "name": "[debian-lts-announce] 20210709 [SECURITY] [DLA 2706-1] apache2 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00006.html"
          },
          {
            "name": "DSA-4937",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2021/dsa-4937"
          },
          {
            "name": "GLSA-202107-38",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202107-38"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210727-0008/"
          },
          {
            "name": "[oss-security] 20240313 Re: CVE-2021-31618: Apache httpd: NULL pointer dereference on specially crafted HTTP/2 request",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/13/2"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache HTTP Server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "2.4.47"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Apache HTTP server would like to thank  LI ZHI XIN from NSFocus for reporting this."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why the request was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the offending header was the very first one received or appeared in a a footer. This led to a NULL pointer dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2 request is easy to craft and submit, this can be exploited to DoS the server. This issue affected mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never released."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "important"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476 NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-01T17:10:59.750Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "url": "http://httpd.apache.org/security/vulnerabilities_24.html"
        },
        {
          "name": "[oss-security] 20210609 CVE-2021-31618: Apache httpd: NULL pointer dereference on specially crafted HTTP/2 request",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/06/10/9"
        },
        {
          "url": "https://seclists.org/oss-sec/2021/q2/206"
        },
        {
          "name": "[httpd-cvs] 20210615 svn commit: r1890801 - /httpd/site/trunk/content/security/json/CVE-2021-31618.json",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/r14b66ef0f4f569fd515a3f96cd4eb58bd9a8ff525cc326bb0359664f%40%3Ccvs.httpd.apache.org%3E"
        },
        {
          "name": "[httpd-cvs] 20210615 svn commit: r1075782 - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_24.html",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/r783b6558abf3305b17ea462bed4bd66d82866438999bf38cef6d11d1%40%3Ccvs.httpd.apache.org%3E"
        },
        {
          "name": "FEDORA-2021-051639aad4",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2NKJ3ZA3FTSZ2QBBPKS6BYGAWYRABNQQ/"
        },
        {
          "name": "FEDORA-2021-181f29c392",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A73QJ4HPUMU26I6EULG6SCK67TUEXZYR/"
        },
        {
          "name": "[debian-lts-announce] 20210709 [SECURITY] [DLA 2706-1] apache2 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00006.html"
        },
        {
          "name": "DSA-4937",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2021/dsa-4937"
        },
        {
          "name": "GLSA-202107-38",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202107-38"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20210727-0008/"
        },
        {
          "name": "[oss-security] 20240313 Re: CVE-2021-31618: Apache httpd: NULL pointer dereference on specially crafted HTTP/2 request",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2024/03/13/2"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "NULL pointer dereference on specially crafted HTTP/2 request",
      "workarounds": [
        {
          "lang": "en",
          "value": "On unpatched servers, the `h2` protocol can be disabled by removing it from the `Protocols` configuration. If the `h2` protocol is not enabled, the server is not affected by this vulnerability."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-31618",
    "datePublished": "2021-06-15T00:00:00.000Z",
    "dateReserved": "2021-04-23T00:00:00.000Z",
    "dateUpdated": "2024-08-03T23:03:33.651Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation MIT-56
Implementation

For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].

Mitigation
Requirements

Select a programming language that is not susceptible to these issues.

Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.

No CAPEC attack patterns related to this CWE.