Details of VAR-202102-0521

ID

VAR-202102-0521

CVE

CVE-2021-22654

TITLE

Advantech iView In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-003417

DESCRIPTION

Advantech iView versions prior to v5.7.03.6112 are vulnerable to a SQL injection, which may allow an unauthorized attacker to disclose information. Advantech iView Has SQL An injection vulnerability exists.Information may be obtained. Authentication is not required to exploit this vulnerability.The specific flaw exists within the UserServlet class. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Advantech iView is an equipment management application for the energy, water and wastewater industries. There is a security vulnerability in Advantech iView, and there is no relevant information about this vulnerability at present, please pay attention to CNNVD or manufacturer announcements at any time

Trust: 3.51

sources: NVD: CVE-2021-22654 // JVNDB: JVNDB-2021-003417 // ZDI: ZDI-21-190 // ZDI: ZDI-21-188 // CNVD: CNVD-2021-13243 // VULHUB: VHN-381091

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-13243

AFFECTED PRODUCTS

vendor:	advantech	model:	iview	scope:	lt	version:	5.7.03.6112	Trust: 1.6
vendor:	advantech	model:	iview	scope:	-	version:	-	Trust: 1.4
vendor:	アドバンテック株式会社	model:	iview	scope:	eq	version:	-	Trust: 0.8
vendor:	アドバンテック株式会社	model:	iview	scope:	eq	version:	5.7.03.6112	Trust: 0.8

sources: ZDI: ZDI-21-190 // ZDI: ZDI-21-188 // CNVD: CNVD-2021-13243 // JVNDB: JVNDB-2021-003417 // NVD: CVE-2021-22654

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	CVE-2021-22654
value:	HIGH
Trust: 1.4
nvd@nist.gov:	CVE-2021-22654
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-22654
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2021-13243
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202102-814
value:	HIGH
Trust: 0.6
VULHUB:	VHN-381091
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-22654
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2021-13243
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-381091
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

ZDI:	CVE-2021-22654
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.4
nvd@nist.gov:	CVE-2021-22654
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2021-22654
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: ZDI: ZDI-21-190 // ZDI: ZDI-21-188 // CNVD: CNVD-2021-13243 // VULHUB: VHN-381091 // JVNDB: JVNDB-2021-003417 // CNNVD: CNNVD-202102-814 // NVD: CVE-2021-22654

PROBLEMTYPE DATA

problemtype:	CWE-89	Trust: 1.1
problemtype:	SQL injection (CWE-89) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-381091 // JVNDB: JVNDB-2021-003417 // NVD: CVE-2021-22654

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202102-814

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202102-814

PATCH

title:	Advantech has issued an update to correct this vulnerability.	url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-040-02	Trust: 1.4
title:	Top Page	url:	https://www.advantech.com/	Trust: 0.8
title:	Patch for Advantech iView SQL injection vulnerability (CNVD-2021-13243)	url:	https://www.cnvd.org.cn/patchInfo/show/249616	Trust: 0.6
title:	Advantech Iview SQL Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=142091	Trust: 0.6

sources: ZDI: ZDI-21-190 // ZDI: ZDI-21-188 // CNVD: CNVD-2021-13243 // JVNDB: JVNDB-2021-003417 // CNNVD: CNNVD-202102-814

EXTERNAL IDS

db:	NVD	id:	CVE-2021-22654	Trust: 4.5
db:	ZDI	id:	ZDI-21-190	Trust: 3.2
db:	ZDI	id:	ZDI-21-188	Trust: 3.2
db:	ICS CERT	id:	ICSA-21-040-02	Trust: 3.1
db:	JVN	id:	JVNVU97517721	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-003417	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-12343	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-12095	Trust: 0.7
db:	CNVD	id:	CNVD-2021-13243	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.0469	Trust: 0.6
db:	CNNVD	id:	CNNVD-202102-814	Trust: 0.6
db:	VULHUB	id:	VHN-381091	Trust: 0.1

sources: ZDI: ZDI-21-190 // ZDI: ZDI-21-188 // CNVD: CNVD-2021-13243 // VULHUB: VHN-381091 // JVNDB: JVNDB-2021-003417 // CNNVD: CNNVD-202102-814 // NVD: CVE-2021-22654

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-040-02	Trust: 5.1
url:	https://www.zerodayinitiative.com/advisories/zdi-21-190/	Trust: 3.1
url:	https://www.zerodayinitiative.com/advisories/zdi-21-188/	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2021-22654	Trust: 1.4
url:	http://jvn.jp/vu/jvnvu97517721	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2021.0469	Trust: 0.6

sources: ZDI: ZDI-21-190 // ZDI: ZDI-21-188 // CNVD: CNVD-2021-13243 // VULHUB: VHN-381091 // JVNDB: JVNDB-2021-003417 // CNNVD: CNNVD-202102-814 // NVD: CVE-2021-22654

CREDITS

rgod

Trust: 0.7

sources: ZDI: ZDI-21-190

SOURCES

db:	ZDI	id:	ZDI-21-190
db:	ZDI	id:	ZDI-21-188
db:	CNVD	id:	CNVD-2021-13243
db:	VULHUB	id:	VHN-381091
db:	JVNDB	id:	JVNDB-2021-003417
db:	CNNVD	id:	CNNVD-202102-814
db:	NVD	id:	CVE-2021-22654

LAST UPDATE DATE

2024-08-14T13:23:50.873000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-21-190	date:	2021-02-11T00:00:00
db:	ZDI	id:	ZDI-21-188	date:	2021-02-11T00:00:00
db:	CNVD	id:	CNVD-2021-13243	date:	2021-02-27T00:00:00
db:	VULHUB	id:	VHN-381091	date:	2021-02-12T00:00:00
db:	JVNDB	id:	JVNDB-2021-003417	date:	2021-10-26T08:49:00
db:	CNNVD	id:	CNNVD-202102-814	date:	2021-02-22T00:00:00
db:	NVD	id:	CVE-2021-22654	date:	2021-02-12T04:10:39.917

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-21-190	date:	2021-02-11T00:00:00
db:	ZDI	id:	ZDI-21-188	date:	2021-02-11T00:00:00
db:	CNVD	id:	CNVD-2021-13243	date:	2021-02-27T00:00:00
db:	VULHUB	id:	VHN-381091	date:	2021-02-11T00:00:00
db:	JVNDB	id:	JVNDB-2021-003417	date:	2021-10-26T00:00:00
db:	CNNVD	id:	CNNVD-202102-814	date:	2021-02-09T00:00:00
db:	NVD	id:	CVE-2021-22654	date:	2021-02-11T18:15:17.113