Sign-up

ID

VAR-202108-2251


CVE

CVE-2021-33009


TITLE

mySCADA  Made  myPRO  Multiple vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2021-002267

DESCRIPTION

mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to the file system. mySCADA Provided by the company myPRO contains multiple vulnerabilities: * Inadequate access control ( CWE-284 ) - CVE-2021-33013 It was * Unlimited uploads of dangerous file types ( CWE-434 ) - CVE-2021-33009 It was * Path Traversal ( CWE-22 ) - CVE-2021-33005 It was * Information leakage due to disclosure of directory information ( CWE-548 ) - CVE-2021-27505The expected impact depends on each vulnerability, but it may be affected as follows. - CVE-2021-33005 It was * Sensitive directory listing information may be read by a remote attacker - CVE-2021-27505. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.25

sources: NVD: CVE-2021-33009 // JVNDB: JVNDB-2021-002267 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-33009

AFFECTED PRODUCTS

vendor:myscadamodel:myproscope:ltversion:8.20.0

Trust: 1.0

vendor:myscadamodel:myproscope:eqversion: -

Trust: 0.8

vendor:myscadamodel:myproscope:eqversion:v8.20.0 all previous s

Trust: 0.8

sources: JVNDB: JVNDB-2021-002267 // NVD: CVE-2021-33009

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-33009
value: HIGH

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2021-33009
value: HIGH

Trust: 1.0

OTHER: JVNDB-2021-002267
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202108-516
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2021-33009
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

nvd@nist.gov: CVE-2021-33009
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 2.0

OTHER: JVNDB-2021-002267
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2021-002267 // CNNVD: CNNVD-202108-516 // CNNVD: CNNVD-202104-975 // NVD: CVE-2021-33009 // NVD: CVE-2021-33009

PROBLEMTYPE DATA

problemtype:CWE-434

Trust: 1.0

problemtype:Path traversal (CWE-22) [ others ]

Trust: 0.8

problemtype: Inappropriate access control (CWE-284) [ others ]

Trust: 0.8

problemtype: Unlimited uploads of dangerous types of files (CWE-434) [ others ]

Trust: 0.8

problemtype: Information disclosure through directory listings (CWE-548) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-002267 // NVD: CVE-2021-33009

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202108-516

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202108-516

PATCH

title:VERSION 8.20.0 RELEASEDurl:https://www.myscada.org/version-8-20-0-released-security-update/

Trust: 0.8

sources: JVNDB: JVNDB-2021-002267

EXTERNAL IDS

db:NVDid:CVE-2021-33009

Trust: 3.3

db:ICS CERTid:ICSA-21-217-03

Trust: 2.5

db:JVNid:JVNVU94730303

Trust: 0.8

db:JVNDBid:JVNDB-2021-002267

Trust: 0.8

db:CS-HELPid:SB2021080605

Trust: 0.6

db:AUSCERTid:ESB-2021.2659

Trust: 0.6

db:CNNVDid:CNNVD-202108-516

Trust: 0.6

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:VULMONid:CVE-2021-33009

Trust: 0.1

sources: VULMON: CVE-2021-33009 // JVNDB: JVNDB-2021-002267 // CNNVD: CNNVD-202108-516 // CNNVD: CNNVD-202104-975 // NVD: CVE-2021-33009

REFERENCES

url:https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03

Trust: 1.7

url:https://www.myscada.org/version-8-20-0-released-security-update

Trust: 1.7

url:https://us-cert.cisa.gov/ics/advisories/icsa-21-217-03

Trust: 1.4

url:http://jvn.jp/cert/jvnvu94730303

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2021-27505

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2021-33005

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2021-33009

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2021-33013

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2021080605

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2021-33009/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.2659

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/434.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULMON: CVE-2021-33009 // JVNDB: JVNDB-2021-002267 // CNNVD: CNNVD-202108-516 // CNNVD: CNNVD-202104-975 // NVD: CVE-2021-33009

CREDITS

Michael Heinzl reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202108-516

SOURCES

db:VULMONid:CVE-2021-33009
db:JVNDBid:JVNDB-2021-002267
db:CNNVDid:CNNVD-202108-516
db:CNNVDid:CNNVD-202104-975
db:NVDid:CVE-2021-33009

LAST UPDATE DATE

2024-08-14T12:55:37.884000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2021-33009date:2022-05-13T00:00:00
db:JVNDBid:JVNDB-2021-002267date:2024-06-20T02:08:00
db:CNNVDid:CNNVD-202108-516date:2022-05-25T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:NVDid:CVE-2021-33009date:2022-05-24T20:44:58.087

SOURCES RELEASE DATE

db:VULMONid:CVE-2021-33009date:2022-05-13T00:00:00
db:JVNDBid:JVNDB-2021-002267date:2021-08-10T00:00:00
db:CNNVDid:CNNVD-202108-516date:2021-08-05T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:NVDid:CVE-2021-33009date:2022-05-13T16:15:08.017