Details of VAR-202107-0878

ID

VAR-202107-0878

CVE

CVE-2021-32972

TITLE

Made by Panasonic FPWIN Pro To XML Improper restriction vulnerability in external entity reference

Trust: 0.8

sources: JVNDB: JVNDB-2021-001896

DESCRIPTION

Panasonic FPWIN Pro, all Versions 7.5.1.1 and prior, allows an attacker to craft a project file specifying a URI that causes the XML parser to access the URI and embed the contents, which may allow the attacker to disclose information that is accessible in the context of the user executing software. Provided by Panasonic Corporation FPWIN Pro Has XML An external entity reference vulnerability exists. FPWIN Pro Is provided by Panasonic Corporation PLC Programming software for. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.25

sources: NVD: CVE-2021-32972 // JVNDB: JVNDB-2021-001896 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-32972

AFFECTED PRODUCTS

vendor:	panasonic	model:	fpwin pro	scope:	lte	version:	7.5.1.1	Trust: 1.0
vendor:	パナソニック株式会社	model:	fpwin pro	scope:	eq	version:	programming control software v7.5.1.1 and all previous s	Trust: 0.8
vendor:	パナソニック株式会社	model:	fpwin pro	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-001896 // NVD: CVE-2021-32972

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-32972
value:	MEDIUM
Trust: 1.0
IPA:	JVNDB-2021-001896
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202106-1943
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2021-32972
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-32972
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1

nvd@nist.gov:	CVE-2021-32972
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.8
impactScore:	3.6
version:	3.1
Trust: 1.0
IPA:	JVNDB-2021-001896
baseSeverity:	MEDIUM
baseScore:	5.9
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULMON: CVE-2021-32972 // JVNDB: JVNDB-2021-001896 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-1943 // NVD: CVE-2021-32972

PROBLEMTYPE DATA

problemtype:	CWE-611	Trust: 1.0
problemtype:	XML Improper restrictions on external entity references (CWE-611) [IPA Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-001896 // NVD: CVE-2021-32972

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202106-1943

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:	Programming Software Control FPWIN Pro	url:	https://industry.panasonic.eu/factory-automation/programmable-logic-controllers-plc/plc-software/programming-software-control-fpwin-pro	Trust: 0.8
title:	Claroty Secure Remote Access Fixes for code issue vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=155675	Trust: 0.6

sources: JVNDB: JVNDB-2021-001896 // CNNVD: CNNVD-202106-1943

EXTERNAL IDS

db:	ICS CERT	id:	ICSA-21-180-03	Trust: 2.5
db:	NVD	id:	CVE-2021-32972	Trust: 2.5
db:	JVN	id:	JVNVU95869186	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-001896	Trust: 0.8
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CS-HELP	id:	SB2021063023	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.2282	Trust: 0.6
db:	CNNVD	id:	CNNVD-202106-1943	Trust: 0.6
db:	VULMON	id:	CVE-2021-32972	Trust: 0.1

sources: VULMON: CVE-2021-32972 // JVNDB: JVNDB-2021-001896 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-1943 // NVD: CVE-2021-32972

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-180-03	Trust: 3.1
url:	http://jvn.jp/cert/jvnvu95869186	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.2282	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021063023	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/611.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2021-32972 // JVNDB: JVNDB-2021-001896 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-1943 // NVD: CVE-2021-32972

CREDITS

Michael Heinzl reported this vulnerability to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202106-1943

SOURCES

db:	VULMON	id:	CVE-2021-32972
db:	JVNDB	id:	JVNDB-2021-001896
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202106-1943
db:	NVD	id:	CVE-2021-32972

LAST UPDATE DATE

2024-08-14T12:19:53.360000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2021-32972	date:	2021-07-13T00:00:00
db:	JVNDB	id:	JVNDB-2021-001896	date:	2021-07-01T08:48:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202106-1943	date:	2021-07-14T00:00:00
db:	NVD	id:	CVE-2021-32972	date:	2021-07-13T16:55:28.230

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2021-32972	date:	2021-07-09T00:00:00
db:	JVNDB	id:	JVNDB-2021-001896	date:	2021-07-01T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202106-1943	date:	2021-06-29T00:00:00
db:	NVD	id:	CVE-2021-32972	date:	2021-07-09T11:15:08.630