VAR-202107-1665
Vulnerability from variot - Updated: 2024-08-14 12:51AVEVA System Platform versions 2017 through 2020 R2 P01 does not verify, or incorrectly verifies, the cryptographic signature for data. AVEVA Provided by the company AVEVA System Platform contains multiple vulnerabilities: * Lack of authentication for critical features (CWE-306) - CVE-2021-33008 It was * Problems with not handling exceptions (CWE-248) - CVE-2021-33010 It was * Path traversal (CWE-22) - CVE-2021-32981 It was * Same-origin policy violation (CWE-346) - CVE-2021-32985 It was * Improper verification of digital signatures (CWE-347) - CVE-2021-32977The expected impact depends on each vulnerability, but it may be affected as follows. It was * A third party on an adjacent network may be able to execute arbitrary code with system privileges. - CVE-2021-33008 It was * Service operation obstruction by a remote third party (DoS) state - CVE-2021-33010 It was * The input value that specifies a file or directory under an access-restricted directory is not processed properly, allowing a remote third party to access a directory outside the access-restricted directory. - CVE-2021-32981 It was * Not properly validating that data or communication origin is valid - CVE-2021-32985 It was * Not verifying digital signatures on data, or verifying them incorrectly - CVE-2021-32977. AVEVA System Platform is an application software of British AVEVA company. A responsive, standards-driven and scalable foundation for regulatory, enterprise SCADA, MES and IIoT applications. No detailed vulnerability details are currently provided
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202107-1665",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "system platform",
"scope": "lt",
"trust": 1.0,
"vendor": "aveva",
"version": "2020"
},
{
"model": "system platform",
"scope": "eq",
"trust": 1.0,
"vendor": "aveva",
"version": "2020"
},
{
"model": "system platform",
"scope": "gte",
"trust": 1.0,
"vendor": "aveva",
"version": "2017"
},
{
"model": "system platform",
"scope": "eq",
"trust": 0.8,
"vendor": "aveva",
"version": "2017 to 2020 r2 p01 to"
},
{
"model": "system platform",
"scope": "eq",
"trust": 0.8,
"vendor": "aveva",
"version": null
},
{
"model": "system platform r2 p01",
"scope": "gte",
"trust": 0.6,
"vendor": "aveva",
"version": "2017,\u003c=2020"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-102838"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-001897"
},
{
"db": "NVD",
"id": "CVE-2021-32977"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Sharon Brizinov of Claroty reported these vulnerabilities to AVEVA.",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202107-2079"
}
],
"trust": 0.6
},
"cve": "CVE-2021-32977",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"id": "CVE-2021-32977",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.0,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2021-102838",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.2,
"id": "CVE-2021-32977",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"trust": 2.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "IPA",
"availabilityImpact": "High",
"baseScore": 7.2,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2021-001897",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "High",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-32977",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "ics-cert@hq.dhs.gov",
"id": "CVE-2021-32977",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "IPA",
"id": "JVNDB-2021-001897",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2021-102838",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202107-2079",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-102838"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-001897"
},
{
"db": "CNNVD",
"id": "CNNVD-202107-2079"
},
{
"db": "NVD",
"id": "CVE-2021-32977"
},
{
"db": "NVD",
"id": "CVE-2021-32977"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "AVEVA System Platform versions 2017 through 2020 R2 P01 does not verify, or incorrectly verifies, the cryptographic signature for data. AVEVA Provided by the company AVEVA System Platform contains multiple vulnerabilities: * Lack of authentication for critical features (CWE-306) - CVE-2021-33008 It was * Problems with not handling exceptions (CWE-248) - CVE-2021-33010 It was * Path traversal (CWE-22) - CVE-2021-32981 It was * Same-origin policy violation (CWE-346) - CVE-2021-32985 It was * Improper verification of digital signatures (CWE-347) - CVE-2021-32977The expected impact depends on each vulnerability, but it may be affected as follows. It was * A third party on an adjacent network may be able to execute arbitrary code with system privileges. - CVE-2021-33008 It was * Service operation obstruction by a remote third party (DoS) state - CVE-2021-33010 It was * The input value that specifies a file or directory under an access-restricted directory is not processed properly, allowing a remote third party to access a directory outside the access-restricted directory. - CVE-2021-32981 It was * Not properly validating that data or communication origin is valid - CVE-2021-32985 It was * Not verifying digital signatures on data, or verifying them incorrectly - CVE-2021-32977. AVEVA System Platform is an application software of British AVEVA company. A responsive, standards-driven and scalable foundation for regulatory, enterprise SCADA, MES and IIoT applications. No detailed vulnerability details are currently provided",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-32977"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-001897"
},
{
"db": "CNVD",
"id": "CNVD-2021-102838"
},
{
"db": "CNNVD",
"id": "CNNVD-202107-2079"
}
],
"trust": 2.7
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-32977",
"trust": 3.8
},
{
"db": "ICS CERT",
"id": "ICSA-21-180-05",
"trust": 3.0
},
{
"db": "JVN",
"id": "JVNVU90207343",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2021-001897",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2021-102838",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.2281.2",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202107-2079",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-102838"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-001897"
},
{
"db": "CNNVD",
"id": "CNNVD-202107-2079"
},
{
"db": "NVD",
"id": "CVE-2021-32977"
}
]
},
"id": "VAR-202107-1665",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-102838"
}
],
"trust": 0.78333334
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-102838"
}
]
},
"last_update_date": "2024-08-14T12:51:19.712000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "SECURITY\u00a0BULLETIN\u00a0AVEVA-2021-002",
"trust": 0.8,
"url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-002.pdf"
},
{
"title": "Patch for AVEVA System Platform Incorrect Validation Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/310981"
},
{
"title": "AVEVA System Platform Repair measures for data forgery problem vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=157924"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-102838"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-001897"
},
{
"db": "CNNVD",
"id": "CNNVD-202107-2079"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-347",
"trust": 1.0
},
{
"problemtype": "uncaught exception (CWE-248) [IPA evaluation ]",
"trust": 0.8
},
{
"problemtype": " Lack of authentication for critical features (CWE-306) [IPA evaluation ]",
"trust": 0.8
},
{
"problemtype": " Path traversal (CWE-22) [IPA evaluation ]",
"trust": 0.8
},
{
"problemtype": " Same-origin policy violation (CWE-346) [IPA evaluation ]",
"trust": 0.8
},
{
"problemtype": " Improper verification of digital signatures (CWE-347) [IPA evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-001897"
},
{
"db": "NVD",
"id": "CVE-2021-32977"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.2,
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-180-05"
},
{
"trust": 1.6,
"url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/securitybulletin_aveva-2021-002.pdf"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-32977"
},
{
"trust": 1.4,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-180-05"
},
{
"trust": 0.8,
"url": "http://jvn.jp/cert/jvnvu90207343"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33008"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33010"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-32981"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-32985"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.2281.2"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2021-32977/"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-102838"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-001897"
},
{
"db": "CNNVD",
"id": "CNNVD-202107-2079"
},
{
"db": "NVD",
"id": "CVE-2021-32977"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2021-102838"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-001897"
},
{
"db": "CNNVD",
"id": "CNNVD-202107-2079"
},
{
"db": "NVD",
"id": "CVE-2021-32977"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-12-28T00:00:00",
"db": "CNVD",
"id": "CNVD-2021-102838"
},
{
"date": "2021-07-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-001897"
},
{
"date": "2021-07-27T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202107-2079"
},
{
"date": "2022-04-04T20:15:08.817000",
"db": "NVD",
"id": "CVE-2021-32977"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-18T00:00:00",
"db": "CNVD",
"id": "CNVD-2021-102838"
},
{
"date": "2024-06-20T04:33:00",
"db": "JVNDB",
"id": "JVNDB-2021-001897"
},
{
"date": "2022-04-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202107-2079"
},
{
"date": "2022-04-13T12:46:00.330000",
"db": "NVD",
"id": "CVE-2021-32977"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202107-2079"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "AVEVA\u00a0 Made \u00a0AVEVA\u00a0System\u00a0Platform\u00a0 Multiple vulnerabilities in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-001897"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "data forgery",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202107-2079"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…