Lucene search

IcscertCVE-2021-43936

HistoryDec 06, 2021 - 6:15 p.m.

CVE-2021-43936

2021-12-0618:15:08

CWE-434

icscert

web.nvd.nist.gov

cve-2021-43936

software

file upload

dangerous types

arbitrary code execution

webhmi portal

nvd

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.014

Percentile

86.7%

JSON

The software allows the attacker to upload or transfer files of dangerous types to the WebHMI portal, that may be automatically processed within the product’s environment or lead to arbitrary code execution.

Affected configurations

Nvd

Node

webhmiwebhmi_firmwareRange<4.1

AND

webhmiwebhmiMatch-

VendorProductVersionCPE
webhmiwebhmi_firmware*cpe:2.3:o:webhmi:webhmi_firmware:*:*:*:*:*:*:*:*
webhmiwebhmi-cpe:2.3:h:webhmi:webhmi:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
webhmi	webhmi_firmware	*	cpe:2.3:o:webhmi:webhmi_firmware::::::::
webhmi	webhmi	-	cpe:2.3:h:webhmi:webhmi:-:::::::*

CNA Affected

[
  {
    "product": "WebHMI",
    "vendor": "Distributed Data Systems",
    "versions": [
      {
        "lessThan": "4.1",
        "status": "affected",
        "version": "4.1",
        "versionType": "custom"
      }
    ]
  }
]