Lucene search

IcscertCVE-2021-38410

HistoryJul 27, 2022 - 9:15 p.m.

CVE-2021-38410

2022-07-2721:15:08

CWE-427

icscert

web.nvd.nist.gov

aveva

software platform

common services

pcs

portal

dll hijacking

vulnerability

cve-2021-38410

nvd

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.5

Confidence

High

EPSS

0.001

Percentile

28.7%

JSON

AVEVA Software Platform Common Services (PCS) Portal versions 4.5.2, 4.5.1, 4.5.0, and 4.4.6 are vulnerable to DLL hijacking through an uncontrolled search path element, which may allow an attacker control to one or more locations in the search path.

Affected configurations

Nvd

Node

avevabatch_managementMatch2020

avevaenterprise_data_managementMatch2020

avevamanufacturing_execution_systemMatch2020

avevamobile_operatorMatch2020

avevaplatform_common_servicesMatch4.4.6

avevaplatform_common_servicesMatch4.5.0

avevaplatform_common_servicesMatch4.5.1

avevaplatform_common_servicesMatch4.5.2

avevasystem_platformMatch2020-

avevasystem_platformMatch2020r2

avevasystem_platformMatch2020r2_p01

avevawork_tasksMatch2020-

avevawork_tasksMatch2020update_1

VendorProductVersionCPE
avevabatch_management2020cpe:2.3:a:aveva:batch_management:2020:*:*:*:*:*:*:*
avevaenterprise_data_management2020cpe:2.3:a:aveva:enterprise_data_management:2020:*:*:*:*:*:*:*
avevamanufacturing_execution_system2020cpe:2.3:a:aveva:manufacturing_execution_system:2020:*:*:*:*:*:*:*
avevamobile_operator2020cpe:2.3:a:aveva:mobile_operator:2020:*:*:*:*:*:*:*
avevaplatform_common_services4.4.6cpe:2.3:a:aveva:platform_common_services:4.4.6:*:*:*:*:*:*:*
avevaplatform_common_services4.5.0cpe:2.3:a:aveva:platform_common_services:4.5.0:*:*:*:*:*:*:*
avevaplatform_common_services4.5.1cpe:2.3:a:aveva:platform_common_services:4.5.1:*:*:*:*:*:*:*
avevaplatform_common_services4.5.2cpe:2.3:a:aveva:platform_common_services:4.5.2:*:*:*:*:*:*:*
avevasystem_platform2020cpe:2.3:a:aveva:system_platform:2020:-:*:*:*:*:*:*
avevasystem_platform2020cpe:2.3:a:aveva:system_platform:2020:r2:*:*:*:*:*:*

Vendor	Product	Version	CPE
aveva	batch_management	2020	cpe:2.3:a:aveva:batch_management:2020:::::::*
aveva	enterprise_data_management	2020	cpe:2.3:a:aveva:enterprise_data_management:2020:::::::*
aveva	manufacturing_execution_system	2020	cpe:2.3:a:aveva:manufacturing_execution_system:2020:::::::*
aveva	mobile_operator	2020	cpe:2.3:a:aveva:mobile_operator:2020:::::::*
aveva	platform_common_services	4.4.6	cpe:2.3:a:aveva:platform_common_services:4.4.6:::::::*
aveva	platform_common_services	4.5.0	cpe:2.3:a:aveva:platform_common_services:4.5.0:::::::*
aveva	platform_common_services	4.5.1	cpe:2.3:a:aveva:platform_common_services:4.5.1:::::::*
aveva	platform_common_services	4.5.2	cpe:2.3:a:aveva:platform_common_services:4.5.2:::::::*
aveva	system_platform	2020	cpe:2.3:a:aveva:system_platform:2020:-::::::
aveva	system_platform	2020	cpe:2.3:a:aveva:system_platform:2020:r2::::::

Rows per page:

1-10 of 131

CNA Affected

[
  {
    "product": "Platform Common Services (PCS) Portal",
    "vendor": "AVEVA",
    "versions": [
      {
        "status": "affected",
        "version": "4.5.2"
      },
      {
        "status": "affected",
        "version": "4.5.1"
      },
      {
        "status": "affected",
        "version": "4.5.0"
      },
      {
        "status": "affected",
        "version": "4.4.6"
      }
    ]
  }
]

References

www.aveva.com/en/support-and-success/cyber-security-updates/

www.cisa.gov/uscert/ics/advisories/icsa-21-252-01

Social References

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.5

Confidence

High

EPSS

0.001

Percentile

28.7%

JSON

Related for CVE-2021-38410