Details of VAR-202102-0522

ID

VAR-202102-0522

CVE

CVE-2021-22656

TITLE

Advantech iView Traversal Vulnerability in Japan

Trust: 0.8

sources: JVNDB: JVNDB-2021-003418

DESCRIPTION

Advantech iView versions prior to v5.7.03.6112 are vulnerable to directory traversal, which may allow an attacker to read sensitive files. Advantech iView Contains a path traversal vulnerability.Information may be obtained. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability.The specific flaw exists within the CommandServlet class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Advantech iView is an equipment management application for the energy, water and wastewater industries. There is a security vulnerability in Advantech iView, and there is no relevant information about this vulnerability at present, please pay attention to CNNVD or manufacturer announcements at any time

Trust: 2.88

sources: NVD: CVE-2021-22656 // JVNDB: JVNDB-2021-003418 // ZDI: ZDI-21-189 // CNVD: CNVD-2021-13241 // VULHUB: VHN-381093

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-13241

AFFECTED PRODUCTS

vendor:	advantech	model:	iview	scope:	lt	version:	5.7.03.6112	Trust: 1.6
vendor:	アドバンテック株式会社	model:	iview	scope:	eq	version:	-	Trust: 0.8
vendor:	アドバンテック株式会社	model:	iview	scope:	eq	version:	5.7.03.6112	Trust: 0.8
vendor:	advantech	model:	iview	scope:	-	version:	-	Trust: 0.7

sources: ZDI: ZDI-21-189 // CNVD: CNVD-2021-13241 // JVNDB: JVNDB-2021-003418 // NVD: CVE-2021-22656

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-22656
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-22656
value:	HIGH
Trust: 0.8
ZDI:	CVE-2021-22656
value:	HIGH
Trust: 0.7
CNVD:	CNVD-2021-13241
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202102-815
value:	HIGH
Trust: 0.6
VULHUB:	VHN-381093
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-22656
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2021-13241
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-381093
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-22656
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2021-22656
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
ZDI:	CVE-2021-22656
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-21-189 // CNVD: CNVD-2021-13241 // VULHUB: VHN-381093 // JVNDB: JVNDB-2021-003418 // CNNVD: CNNVD-202102-815 // NVD: CVE-2021-22656

PROBLEMTYPE DATA

problemtype:	CWE-22	Trust: 1.1
problemtype:	Path traversal (CWE-22) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-381093 // JVNDB: JVNDB-2021-003418 // NVD: CVE-2021-22656

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202102-815

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-202102-815

PATCH

title:	Top Page	url:	https://www.advantech.com/	Trust: 0.8
title:	Advantech has issued an update to correct this vulnerability.	url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-040-02	Trust: 0.7
title:	Patch for Advantech iView path traversal vulnerability (CNVD-2021-13241)	url:	https://www.cnvd.org.cn/patchInfo/show/249606	Trust: 0.6
title:	Advantech Iview Repair measures for path traversal vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=142092	Trust: 0.6

sources: ZDI: ZDI-21-189 // CNVD: CNVD-2021-13241 // JVNDB: JVNDB-2021-003418 // CNNVD: CNNVD-202102-815

EXTERNAL IDS

db:	NVD	id:	CVE-2021-22656	Trust: 3.8
db:	ZDI	id:	ZDI-21-189	Trust: 3.2
db:	ICS CERT	id:	ICSA-21-040-02	Trust: 3.1
db:	JVN	id:	JVNVU97517721	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-003418	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-12096	Trust: 0.7
db:	CNVD	id:	CNVD-2021-13241	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.0469	Trust: 0.6
db:	CNNVD	id:	CNNVD-202102-815	Trust: 0.6
db:	VULHUB	id:	VHN-381093	Trust: 0.1

sources: ZDI: ZDI-21-189 // CNVD: CNVD-2021-13241 // VULHUB: VHN-381093 // JVNDB: JVNDB-2021-003418 // CNNVD: CNNVD-202102-815 // NVD: CVE-2021-22656

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-040-02	Trust: 3.8
url:	https://www.zerodayinitiative.com/advisories/zdi-21-189/	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2021-22656	Trust: 1.4
url:	http://jvn.jp/vu/jvnvu97517721	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2021.0469	Trust: 0.6

sources: ZDI: ZDI-21-189 // CNVD: CNVD-2021-13241 // VULHUB: VHN-381093 // JVNDB: JVNDB-2021-003418 // CNNVD: CNNVD-202102-815 // NVD: CVE-2021-22656

CREDITS

Anonymous

Trust: 0.7

sources: ZDI: ZDI-21-189

SOURCES

db:	ZDI	id:	ZDI-21-189
db:	CNVD	id:	CNVD-2021-13241
db:	VULHUB	id:	VHN-381093
db:	JVNDB	id:	JVNDB-2021-003418
db:	CNNVD	id:	CNNVD-202102-815
db:	NVD	id:	CVE-2021-22656

LAST UPDATE DATE

2024-08-14T13:23:50.836000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-21-189	date:	2021-02-11T00:00:00
db:	CNVD	id:	CNVD-2021-13241	date:	2021-02-27T00:00:00
db:	VULHUB	id:	VHN-381093	date:	2021-02-12T00:00:00
db:	JVNDB	id:	JVNDB-2021-003418	date:	2021-10-26T08:49:00
db:	CNNVD	id:	CNNVD-202102-815	date:	2021-02-22T00:00:00
db:	NVD	id:	CVE-2021-22656	date:	2021-02-12T15:04:23.940

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-21-189	date:	2021-02-11T00:00:00
db:	CNVD	id:	CNVD-2021-13241	date:	2021-02-27T00:00:00
db:	VULHUB	id:	VHN-381093	date:	2021-02-11T00:00:00
db:	JVNDB	id:	JVNDB-2021-003418	date:	2021-10-26T00:00:00
db:	CNNVD	id:	CNNVD-202102-815	date:	2021-02-09T00:00:00
db:	NVD	id:	CVE-2021-22656	date:	2021-02-11T18:15:17.190