Details of VAR-202104-1553

ID

VAR-202104-1553

CVE

CVE-2021-23277

TITLE

Eaton Intelligent Power Manager Eval injection vulnerability

Trust: 0.6

sources: CNVD: CNVD-2021-30591

DESCRIPTION

Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in loadUserFile function under scripts/libs/utils.js. Successful exploitation can allow attackers to control the input to the function and execute attacker controlled commands. It supports remote monitoring and management of multiple devices in the network from the interface. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.07

sources: NVD: CVE-2021-23277 // CNVD: CNVD-2021-30591 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-23277

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-30591

AFFECTED PRODUCTS

vendor:	eaton	model:	intelligent power manager	scope:	lt	version:	1.69	Trust: 1.6
vendor:	eaton	model:	intelligent power protector	scope:	lt	version:	1.68	Trust: 1.0
vendor:	eaton	model:	intelligent power manager virtual appliance	scope:	lt	version:	1.69	Trust: 1.0

sources: CNVD: CNVD-2021-30591 // NVD: CVE-2021-23277

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-23277
value:	CRITICAL
Trust: 1.0
CybersecurityCOE@eaton.com:	CVE-2021-23277
value:	HIGH
Trust: 1.0
CNVD:	CNVD-2021-30591
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202104-952
value:	CRITICAL
Trust: 0.6
VULMON:	CVE-2021-23277
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-23277
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
CNVD:	CNVD-2021-30591
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-23277
baseSeverity:	CRITICAL
baseScore:	10.0
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	6.0
version:	3.1
Trust: 1.0
CybersecurityCOE@eaton.com:	CVE-2021-23277
baseSeverity:	HIGH
baseScore:	8.3
vectorString:	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.6
impactScore:	6.0
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2021-30591 // VULMON: CVE-2021-23277 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-952 // NVD: CVE-2021-23277 // NVD: CVE-2021-23277

PROBLEMTYPE DATA

problemtype:	CWE-95	Trust: 1.0
problemtype:	CWE-94	Trust: 1.0

sources: NVD: CVE-2021-23277

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202104-952

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:

Patch for Eaton Intelligent Power Manager Eval injection vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/261116

Trust: 0.6

sources: CNVD: CNVD-2021-30591

EXTERNAL IDS

db:	NVD	id:	CVE-2021-23277	Trust: 2.3
db:	CNVD	id:	CNVD-2021-30591	Trust: 0.6
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	ICS CERT	id:	ICSA-21-110-06	Trust: 0.6
db:	CS-HELP	id:	SB2021042130	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-952	Trust: 0.6
db:	VULMON	id:	CVE-2021-23277	Trust: 0.1

sources: CNVD: CNVD-2021-30591 // VULMON: CVE-2021-23277 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-952 // NVD: CVE-2021-23277

REFERENCES

url:	https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-23277	Trust: 1.2
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-110-06	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021042130	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/94.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2021-30591 // VULMON: CVE-2021-23277 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-952 // NVD: CVE-2021-23277

SOURCES

db:	CNVD	id:	CNVD-2021-30591
db:	VULMON	id:	CVE-2021-23277
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202104-952
db:	NVD	id:	CVE-2021-23277

LAST UPDATE DATE

2024-11-23T20:17:15.951000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-30591	date:	2021-04-25T00:00:00
db:	VULMON	id:	CVE-2021-23277	date:	2023-06-26T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202104-952	date:	2023-06-27T00:00:00
db:	NVD	id:	CVE-2021-23277	date:	2024-11-21T05:51:29.183

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-30591	date:	2021-04-25T00:00:00
db:	VULMON	id:	CVE-2021-23277	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202104-952	date:	2021-04-13T00:00:00
db:	NVD	id:	CVE-2021-23277	date:	2021-04-13T19:15:14.740