Details of VAR-202102-0523

ID

VAR-202102-0523

CVE

CVE-2021-22658

TITLE

Advantech iView In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-003419

DESCRIPTION

Advantech iView versions prior to v5.7.03.6112 are vulnerable to a SQL injection, which may allow an attacker to escalate privileges to 'Administrator'. Advantech iView Has SQL An injection vulnerability exists.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.The specific flaw exists within the UserServlet class. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges and reset the password for the Admin user. Advantech iView is an equipment management application for the energy, water and wastewater industries. There is a security vulnerability in Advantech iView, and there is no relevant information about this vulnerability at present, please pay attention to CNNVD or manufacturer announcements at any time

Trust: 2.88

sources: NVD: CVE-2021-22658 // JVNDB: JVNDB-2021-003419 // ZDI: ZDI-21-191 // CNVD: CNVD-2021-13242 // VULHUB: VHN-381095

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-13242

AFFECTED PRODUCTS

vendor:	advantech	model:	iview	scope:	lt	version:	5.7.03.6112	Trust: 1.6
vendor:	アドバンテック株式会社	model:	iview	scope:	eq	version:	-	Trust: 0.8
vendor:	アドバンテック株式会社	model:	iview	scope:	eq	version:	5.7.03.6112	Trust: 0.8
vendor:	advantech	model:	iview	scope:	-	version:	-	Trust: 0.7

sources: ZDI: ZDI-21-191 // CNVD: CNVD-2021-13242 // JVNDB: JVNDB-2021-003419 // NVD: CVE-2021-22658

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-22658
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2021-22658
value:	CRITICAL
Trust: 0.8
ZDI:	CVE-2021-22658
value:	HIGH
Trust: 0.7
CNVD:	CNVD-2021-13242
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202102-805
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-381095
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-22658
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2021-13242
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-381095
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-22658
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2021-22658
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
ZDI:	CVE-2021-22658
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-21-191 // CNVD: CNVD-2021-13242 // VULHUB: VHN-381095 // JVNDB: JVNDB-2021-003419 // CNNVD: CNNVD-202102-805 // NVD: CVE-2021-22658

PROBLEMTYPE DATA

problemtype:	CWE-89	Trust: 1.1
problemtype:	SQL injection (CWE-89) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-381095 // JVNDB: JVNDB-2021-003419 // NVD: CVE-2021-22658

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202102-805

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202102-805

PATCH

title:	Top Page	url:	https://www.advantech.com/	Trust: 0.8
title:	Advantech has issued an update to correct this vulnerability.	url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-040-02	Trust: 0.7
title:	Patch for Advantech iView SQL injection vulnerability (CNVD-2021-13242)	url:	https://www.cnvd.org.cn/patchInfo/show/249611	Trust: 0.6
title:	Advantech Iview SQL Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=142089	Trust: 0.6

sources: ZDI: ZDI-21-191 // CNVD: CNVD-2021-13242 // JVNDB: JVNDB-2021-003419 // CNNVD: CNNVD-202102-805

EXTERNAL IDS

db:	NVD	id:	CVE-2021-22658	Trust: 3.8
db:	ZDI	id:	ZDI-21-191	Trust: 3.2
db:	ICS CERT	id:	ICSA-21-040-02	Trust: 3.1
db:	JVN	id:	JVNVU97517721	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-003419	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-12344	Trust: 0.7
db:	CNVD	id:	CNVD-2021-13242	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.0469	Trust: 0.6
db:	CNNVD	id:	CNNVD-202102-805	Trust: 0.6
db:	VULHUB	id:	VHN-381095	Trust: 0.1

sources: ZDI: ZDI-21-191 // CNVD: CNVD-2021-13242 // VULHUB: VHN-381095 // JVNDB: JVNDB-2021-003419 // CNNVD: CNNVD-202102-805 // NVD: CVE-2021-22658

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-040-02	Trust: 3.8
url:	https://www.zerodayinitiative.com/advisories/zdi-21-191/	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2021-22658	Trust: 1.4
url:	http://jvn.jp/vu/jvnvu97517721	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2021.0469	Trust: 0.6

sources: ZDI: ZDI-21-191 // CNVD: CNVD-2021-13242 // VULHUB: VHN-381095 // JVNDB: JVNDB-2021-003419 // CNNVD: CNNVD-202102-805 // NVD: CVE-2021-22658

CREDITS

rgod

Trust: 0.7

sources: ZDI: ZDI-21-191

SOURCES

db:	ZDI	id:	ZDI-21-191
db:	CNVD	id:	CNVD-2021-13242
db:	VULHUB	id:	VHN-381095
db:	JVNDB	id:	JVNDB-2021-003419
db:	CNNVD	id:	CNNVD-202102-805
db:	NVD	id:	CVE-2021-22658

LAST UPDATE DATE

2024-08-14T13:23:50.799000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-21-191	date:	2021-02-11T00:00:00
db:	CNVD	id:	CNVD-2021-13242	date:	2021-02-27T00:00:00
db:	VULHUB	id:	VHN-381095	date:	2021-02-12T00:00:00
db:	JVNDB	id:	JVNDB-2021-003419	date:	2021-10-26T08:49:00
db:	CNNVD	id:	CNNVD-202102-805	date:	2021-02-22T00:00:00
db:	NVD	id:	CVE-2021-22658	date:	2021-02-12T15:04:32.003

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-21-191	date:	2021-02-11T00:00:00
db:	CNVD	id:	CNVD-2021-13242	date:	2021-02-27T00:00:00
db:	VULHUB	id:	VHN-381095	date:	2021-02-11T00:00:00
db:	JVNDB	id:	JVNDB-2021-003419	date:	2021-10-26T00:00:00
db:	CNNVD	id:	CNNVD-202102-805	date:	2021-02-09T00:00:00
db:	NVD	id:	CVE-2021-22658	date:	2021-02-11T18:15:17.270