Details of VAR-202104-1557

ID

VAR-202104-1557

CVE

CVE-2021-23281

TITLE

Eaton Intelligent Power Manager remote code execution vulnerability

Trust: 0.6

sources: CNVD: CNVD-2021-29828

DESCRIPTION

Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated remote code execution vulnerability. IPM software does not sanitize the date provided via coverterCheckList action in meta_driver_srv.js class. Attackers can send a specially crafted packet to make IPM connect to rouge SNMP server and execute attacker-controlled code. It supports remote monitoring and management of multiple devices in the network from the interface. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.07

sources: NVD: CVE-2021-23281 // CNVD: CNVD-2021-29828 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-23281

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-29828

AFFECTED PRODUCTS

vendor:

eaton

model:

intelligent power manager

scope:

version:

1.69

Trust: 1.6

sources: CNVD: CNVD-2021-29828 // NVD: CVE-2021-23281

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-23281
value:	CRITICAL
Trust: 1.0
CybersecurityCOE@eaton.com:	CVE-2021-23281
value:	CRITICAL
Trust: 1.0
CNVD:	CNVD-2021-29828
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202104-900
value:	CRITICAL
Trust: 0.6
VULMON:	CVE-2021-23281
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-23281
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
CNVD:	CNVD-2021-29828
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-23281
baseSeverity:	CRITICAL
baseScore:	10.0
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	6.0
version:	3.1
Trust: 2.0

sources: CNVD: CNVD-2021-29828 // VULMON: CVE-2021-23281 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-900 // NVD: CVE-2021-23281 // NVD: CVE-2021-23281

PROBLEMTYPE DATA

problemtype:

CWE-94

Trust: 1.0

sources: NVD: CVE-2021-23281

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202104-900

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:

Patch for Eaton Intelligent Power Manager remote code execution vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/259896

Trust: 0.6

sources: CNVD: CNVD-2021-29828

EXTERNAL IDS

db:	NVD	id:	CVE-2021-23281	Trust: 2.3
db:	CNVD	id:	CNVD-2021-29828	Trust: 0.6
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	ICS CERT	id:	ICSA-21-110-06	Trust: 0.6
db:	CS-HELP	id:	SB2021042130	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-900	Trust: 0.6
db:	VULMON	id:	CVE-2021-23281	Trust: 0.1

sources: CNVD: CNVD-2021-29828 // VULMON: CVE-2021-23281 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-900 // NVD: CVE-2021-23281

REFERENCES

url:	https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-23281	Trust: 1.2
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-110-06	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021042130	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/94.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2021-29828 // VULMON: CVE-2021-23281 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-900 // NVD: CVE-2021-23281

SOURCES

db:	CNVD	id:	CNVD-2021-29828
db:	VULMON	id:	CVE-2021-23281
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202104-900
db:	NVD	id:	CVE-2021-23281

LAST UPDATE DATE

2024-11-23T20:35:24.901000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-29828	date:	2021-04-21T00:00:00
db:	VULMON	id:	CVE-2021-23281	date:	2021-04-20T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202104-900	date:	2021-04-22T00:00:00
db:	NVD	id:	CVE-2021-23281	date:	2024-11-21T05:51:29.650

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-29828	date:	2021-04-21T00:00:00
db:	VULMON	id:	CVE-2021-23281	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202104-900	date:	2021-04-13T00:00:00
db:	NVD	id:	CVE-2021-23281	date:	2021-04-13T19:15:15.037