Details of VAR-202104-0340

ID

VAR-202104-0340

CVE

CVE-2021-22669

TITLE

Advantech Made WebAccess/SCADA Improper allocation of access to important information

Trust: 0.8

sources: JVNDB: JVNDB-2021-001370

DESCRIPTION

Incorrect permissions are set to default on the ‘Project Management’ page of WebAccess/SCADA portal of WebAccess/SCADA Versions 9.0.1 and prior, which may allow a low-privileged user to update an administrator’s password and login as an administrator to escalate privileges on the system. Advantech Provided by the company WebAccess/SCADA Is browser-based SCADA It is a software package. Advantech WebAccess/SCADA is a set of SCADA software based on browser architecture of Advantech. The software supports dynamic graphic display and real-time data control, and provides functions for remote control and management of automation equipment. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Advantech WebAccess/SCADA-IIoT is a web application developed by Advantech, Taiwan, China. There is a security vulnerability in WebAccess SCADA

Trust: 2.88

sources: NVD: CVE-2021-22669 // JVNDB: JVNDB-2021-001370 // CNVD: CNVD-2021-28788 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-381106 // VULMON: CVE-2021-22669

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-28788

AFFECTED PRODUCTS

vendor:	advantech	model:	webaccess\/scada	scope:	lte	version:	9.0.1	Trust: 1.0
vendor:	アドバンテック株式会社	model:	webaccess/scada	scope:	eq	version:	-	Trust: 0.8
vendor:	アドバンテック株式会社	model:	webaccess/scada	scope:	lte	version:	versions 9.0.1 and earlier	Trust: 0.8
vendor:	advantech	model:	webaccess/scada	scope:	lte	version:	<=9.0.1	Trust: 0.6

sources: CNVD: CNVD-2021-28788 // JVNDB: JVNDB-2021-001370 // NVD: CVE-2021-22669

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-22669
value:	HIGH
Trust: 1.0
IPA:	JVNDB-2021-001370
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2021-28788
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202104-980
value:	HIGH
Trust: 0.6
VULHUB:	VHN-381106
value:	HIGH
Trust: 0.1
VULMON:	CVE-2021-22669
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-22669
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
CNVD:	CNVD-2021-28788
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-381106
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-22669
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
IPA:	JVNDB-2021-001370
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-28788 // VULHUB: VHN-381106 // VULMON: CVE-2021-22669 // JVNDB: JVNDB-2021-001370 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-980 // NVD: CVE-2021-22669

PROBLEMTYPE DATA

problemtype:	CWE-732	Trust: 1.1
problemtype:	Improper permission assignment for critical resources (CWE-732) [IPA Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-381106 // JVNDB: JVNDB-2021-001370 // NVD: CVE-2021-22669

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202104-980

TYPE

other

Trust: 1.2

sources: CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-980

PATCH

title:	WebAccess/SCADA	url:	https://www.advantech.com/support/details/installation?id=1-MS9MJV#	Trust: 0.8
title:	Patch for Advantech WebAccess/SCADA Critical Resource Authority Assignment Incorrect Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/258981	Trust: 0.6
title:	Advantech WebAccess SCADA Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=149709	Trust: 0.6

sources: CNVD: CNVD-2021-28788 // JVNDB: JVNDB-2021-001370 // CNNVD: CNNVD-202104-980

EXTERNAL IDS

db:	NVD	id:	CVE-2021-22669	Trust: 3.2
db:	ICS CERT	id:	ICSA-21-103-02	Trust: 3.2
db:	JVN	id:	JVNVU99008843	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-001370	Trust: 0.8
db:	CNVD	id:	CNVD-2021-28788	Trust: 0.7
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.1248	Trust: 0.6
db:	CS-HELP	id:	SB2021041404	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-980	Trust: 0.6
db:	VULHUB	id:	VHN-381106	Trust: 0.1
db:	VULMON	id:	CVE-2021-22669	Trust: 0.1

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-103-02	Trust: 3.8
url:	http://jvn.jp/cert/jvnvu99008843	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2021-22669	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021041404	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.1248	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/732.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

SOURCES

db:	CNVD	id:	CNVD-2021-28788
db:	VULHUB	id:	VHN-381106
db:	VULMON	id:	CVE-2021-22669
db:	JVNDB	id:	JVNDB-2021-001370
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202104-980
db:	NVD	id:	CVE-2021-22669

LAST UPDATE DATE

2024-08-14T12:26:38.142000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-28788	date:	2021-04-19T00:00:00
db:	VULHUB	id:	VHN-381106	date:	2021-05-07T00:00:00
db:	VULMON	id:	CVE-2021-22669	date:	2021-05-07T00:00:00
db:	JVNDB	id:	JVNDB-2021-001370	date:	2021-04-15T06:48:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202104-980	date:	2021-05-08T00:00:00
db:	NVD	id:	CVE-2021-22669	date:	2021-05-07T18:29:08.803

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-28788	date:	2021-04-16T00:00:00
db:	VULHUB	id:	VHN-381106	date:	2021-04-26T00:00:00
db:	VULMON	id:	CVE-2021-22669	date:	2021-04-26T00:00:00
db:	JVNDB	id:	JVNDB-2021-001370	date:	2021-04-15T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202104-980	date:	2021-04-13T00:00:00
db:	NVD	id:	CVE-2021-22669	date:	2021-04-26T19:15:08.417