Details of VAR-202104-1554

ID

VAR-202104-1554

CVE

CVE-2021-23278

TITLE

Eaton Intelligent Power Manager arbitrary file deletion vulnerability (CNVD-2021-31672)

Trust: 0.6

sources: CNVD: CNVD-2021-31672

DESCRIPTION

Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file delete vulnerability induced due to improper input validation at server/maps_srv.js with action removeBackground and server/node_upgrade_srv.js with action removeFirmware. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed. Eaton Intelligent Power Manager (IPM) is an intelligent power manager from Eaton, USA. It supports remote monitoring and management of multiple devices in the network from the interface. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.07

sources: NVD: CVE-2021-23278 // CNVD: CNVD-2021-31672 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-23278

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-31672

AFFECTED PRODUCTS

vendor:	eaton	model:	intelligent power manager	scope:	lt	version:	1.69	Trust: 1.6
vendor:	eaton	model:	intelligent power protector	scope:	lt	version:	1.68	Trust: 1.0
vendor:	eaton	model:	intelligent power manager virtual appliance	scope:	lt	version:	1.69	Trust: 1.0

sources: CNVD: CNVD-2021-31672 // NVD: CVE-2021-23278

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-23278
value:	CRITICAL
Trust: 1.0
CybersecurityCOE@eaton.com:	CVE-2021-23278
value:	HIGH
Trust: 1.0
CNVD:	CNVD-2021-31672
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202104-949
value:	CRITICAL
Trust: 0.6
VULMON:	CVE-2021-23278
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-23278
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
CNVD:	CNVD-2021-31672
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-23278
baseSeverity:	CRITICAL
baseScore:	9.6
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.1
impactScore:	5.8
version:	3.1
Trust: 1.0
CybersecurityCOE@eaton.com:	CVE-2021-23278
baseSeverity:	HIGH
baseScore:	8.7
vectorString:	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.3
impactScore:	5.8
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2021-31672 // VULMON: CVE-2021-23278 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-949 // NVD: CVE-2021-23278 // NVD: CVE-2021-23278

PROBLEMTYPE DATA

problemtype:	CWE-20	Trust: 1.0
problemtype:	NVD-CWE-noinfo	Trust: 1.0

sources: NVD: CVE-2021-23278

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202104-949

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:

Patch for Eaton Intelligent Power Manager arbitrary file deletion vulnerability (CNVD-2021-31672)

url:

https://www.cnvd.org.cn/patchInfo/show/261886

Trust: 0.6

sources: CNVD: CNVD-2021-31672

EXTERNAL IDS

db:	NVD	id:	CVE-2021-23278	Trust: 2.3
db:	CNVD	id:	CNVD-2021-31672	Trust: 0.6
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	ICS CERT	id:	ICSA-21-110-06	Trust: 0.6
db:	CS-HELP	id:	SB2021042130	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-949	Trust: 0.6
db:	VULMON	id:	CVE-2021-23278	Trust: 0.1

sources: CNVD: CNVD-2021-31672 // VULMON: CVE-2021-23278 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-949 // NVD: CVE-2021-23278

REFERENCES

url:	https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-23278	Trust: 1.2
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-110-06	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021042130	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2021-31672 // VULMON: CVE-2021-23278 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-949 // NVD: CVE-2021-23278

SOURCES

db:	CNVD	id:	CNVD-2021-31672
db:	VULMON	id:	CVE-2021-23278
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202104-949
db:	NVD	id:	CVE-2021-23278

LAST UPDATE DATE

2024-11-23T19:27:19.368000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-31672	date:	2021-04-28T00:00:00
db:	VULMON	id:	CVE-2021-23278	date:	2021-04-21T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202104-949	date:	2021-04-22T00:00:00
db:	NVD	id:	CVE-2021-23278	date:	2024-11-21T05:51:29.297

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-31672	date:	2021-04-28T00:00:00
db:	VULMON	id:	CVE-2021-23278	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202104-949	date:	2021-04-13T00:00:00
db:	NVD	id:	CVE-2021-23278	date:	2021-04-13T19:15:14.820