ID

VAR-202107-0878


CVE

CVE-2021-32972


TITLE

Made by Panasonic  FPWIN Pro  To  XML  Improper restriction vulnerability in external entity reference

Trust: 0.8

sources: JVNDB: JVNDB-2021-001896

DESCRIPTION

Panasonic FPWIN Pro, all Versions 7.5.1.1 and prior, allows an attacker to craft a project file specifying a URI that causes the XML parser to access the URI and embed the contents, which may allow the attacker to disclose information that is accessible in the context of the user executing software. Provided by Panasonic Corporation FPWIN Pro Has XML An external entity reference vulnerability exists. FPWIN Pro Is provided by Panasonic Corporation PLC Programming software for. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.25

sources: NVD: CVE-2021-32972 // JVNDB: JVNDB-2021-001896 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-32972

AFFECTED PRODUCTS

vendor:panasonicmodel:fpwin proscope:lteversion:7.5.1.1

Trust: 1.0

vendor:パナソニック株式会社model:fpwin proscope:eqversion:programming control software v7.5.1.1 and all previous s

Trust: 0.8

vendor:パナソニック株式会社model:fpwin proscope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-001896 // NVD: CVE-2021-32972

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-32972
value: MEDIUM

Trust: 1.0

IPA: JVNDB-2021-001896
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202106-1943
value: MEDIUM

Trust: 0.6

VULMON: CVE-2021-32972
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-32972
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

nvd@nist.gov: CVE-2021-32972
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.8
impactScore: 3.6
version: 3.1

Trust: 1.0

IPA: JVNDB-2021-001896
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULMON: CVE-2021-32972 // JVNDB: JVNDB-2021-001896 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-1943 // NVD: CVE-2021-32972

PROBLEMTYPE DATA

problemtype:CWE-611

Trust: 1.0

problemtype:XML Improper restrictions on external entity references (CWE-611) [IPA Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-001896 // NVD: CVE-2021-32972

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202106-1943

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:Programming Software Control FPWIN Prourl:https://industry.panasonic.eu/factory-automation/programmable-logic-controllers-plc/plc-software/programming-software-control-fpwin-pro

Trust: 0.8

title:Claroty Secure Remote Access Fixes for code issue vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=155675

Trust: 0.6

sources: JVNDB: JVNDB-2021-001896 // CNNVD: CNNVD-202106-1943

EXTERNAL IDS

db:ICS CERTid:ICSA-21-180-03

Trust: 2.5

db:NVDid:CVE-2021-32972

Trust: 2.5

db:JVNid:JVNVU95869186

Trust: 0.8

db:JVNDBid:JVNDB-2021-001896

Trust: 0.8

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:CS-HELPid:SB2021063023

Trust: 0.6

db:AUSCERTid:ESB-2021.2282

Trust: 0.6

db:CNNVDid:CNNVD-202106-1943

Trust: 0.6

db:VULMONid:CVE-2021-32972

Trust: 0.1

sources: VULMON: CVE-2021-32972 // JVNDB: JVNDB-2021-001896 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-1943 // NVD: CVE-2021-32972

REFERENCES

url:https://us-cert.cisa.gov/ics/advisories/icsa-21-180-03

Trust: 3.1

url:http://jvn.jp/cert/jvnvu95869186

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.2282

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021063023

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/611.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULMON: CVE-2021-32972 // JVNDB: JVNDB-2021-001896 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-1943 // NVD: CVE-2021-32972

CREDITS

Michael Heinzl reported this vulnerability to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202106-1943

SOURCES

db:VULMONid:CVE-2021-32972
db:JVNDBid:JVNDB-2021-001896
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202106-1943
db:NVDid:CVE-2021-32972

LAST UPDATE DATE

2024-08-14T12:19:53.360000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2021-32972date:2021-07-13T00:00:00
db:JVNDBid:JVNDB-2021-001896date:2021-07-01T08:48:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202106-1943date:2021-07-14T00:00:00
db:NVDid:CVE-2021-32972date:2021-07-13T16:55:28.230

SOURCES RELEASE DATE

db:VULMONid:CVE-2021-32972date:2021-07-09T00:00:00
db:JVNDBid:JVNDB-2021-001896date:2021-07-01T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202106-1943date:2021-06-29T00:00:00
db:NVDid:CVE-2021-32972date:2021-07-09T11:15:08.630