Details of VAR-202110-0326

ID

VAR-202110-0326

CVE

CVE-2021-38431

TITLE

Advantech WebAccess SCADA Vulnerability regarding lack of authentication in

Trust: 0.8

sources: JVNDB: JVNDB-2021-013738

DESCRIPTION

An authenticated user using Advantech WebAccess SCADA in versions 9.0.3 and prior can use API functions to disclose project names and paths from other users. Advantech WebAccess SCADA Exists in a vulnerability related to the lack of authentication.Information may be obtained. Advantech WebAccess SCADA is a set of browser-based SCADA software from Advantech, a company in Taiwan. The software supports dynamic graphic display and real-time data control, and provides functions for remote control and management of automation equipment. For monitoring, data acquisition and visualization

Trust: 2.34

sources: NVD: CVE-2021-38431 // JVNDB: JVNDB-2021-013738 // CNVD: CNVD-2021-80268 // VULHUB: VHN-397681 // VULMON: CVE-2021-38431

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-80268

AFFECTED PRODUCTS

vendor:	advantech	model:	webaccess scada	scope:	lte	version:	9.0.3	Trust: 1.0
vendor:	アドバンテック株式会社	model:	webaccess/scada	scope:	eq	version:	-	Trust: 0.8
vendor:	アドバンテック株式会社	model:	webaccess/scada	scope:	lte	version:	9.0.3 and earlier	Trust: 0.8
vendor:	advantech	model:	webaccess scada	scope:	lte	version:	<=9.0.3	Trust: 0.6

sources: CNVD: CNVD-2021-80268 // JVNDB: JVNDB-2021-013738 // NVD: CVE-2021-38431

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-38431
value:	MEDIUM
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2021-38431
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-38431
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2021-80268
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202110-926
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-397681
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2021-38431
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-38431
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2021-80268
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-397681
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-38431
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	1.4
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2021-013738
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-80268 // VULHUB: VHN-397681 // VULMON: CVE-2021-38431 // JVNDB: JVNDB-2021-013738 // CNNVD: CNNVD-202110-926 // NVD: CVE-2021-38431 // NVD: CVE-2021-38431

PROBLEMTYPE DATA

problemtype:	CWE-862	Trust: 1.1
problemtype:	Lack of authentication (CWE-862) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-397681 // JVNDB: JVNDB-2021-013738 // NVD: CVE-2021-38431

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202110-926

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202110-926

PATCH

title:	WebAccess/SCADA	url:	https://www.advantech.com/industrial-automation/webaccess/webaccessscada	Trust: 0.8
title:	Patch for Advantech WebAccess SCADA Authorization Issue Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/294866	Trust: 0.6
title:	Advantech WebAccess Remediation measures for authorization problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=166092	Trust: 0.6

sources: CNVD: CNVD-2021-80268 // JVNDB: JVNDB-2021-013738 // CNNVD: CNNVD-202110-926

EXTERNAL IDS

db:	NVD	id:	CVE-2021-38431	Trust: 4.0
db:	ICS CERT	id:	ICSA-21-285-01	Trust: 3.2
db:	JVN	id:	JVNVU97189148	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-013738	Trust: 0.8
db:	CNNVD	id:	CNNVD-202110-926	Trust: 0.7
db:	CNVD	id:	CNVD-2021-80268	Trust: 0.6
db:	CS-HELP	id:	SB2021101311	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.3440	Trust: 0.6
db:	VULHUB	id:	VHN-397681	Trust: 0.1
db:	VULMON	id:	CVE-2021-38431	Trust: 0.1

sources: CNVD: CNVD-2021-80268 // VULHUB: VHN-397681 // VULMON: CVE-2021-38431 // JVNDB: JVNDB-2021-013738 // CNNVD: CNNVD-202110-926 // NVD: CVE-2021-38431

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-285-01	Trust: 3.0
url:	https://nvd.nist.gov/vuln/detail/cve-2021-38431	Trust: 1.4
url:	http://jvn.jp/vu/jvnvu97189148/index.html	Trust: 0.8
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-21-285-01	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2021.3440	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021101311	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/862.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2021-80268 // VULHUB: VHN-397681 // VULMON: CVE-2021-38431 // JVNDB: JVNDB-2021-013738 // CNNVD: CNNVD-202110-926 // NVD: CVE-2021-38431

CREDITS

Inc., reported this vulnerability to CISA.,Peter Cheng from ELEX FEIGONG RESEARCH INSTITUTE of Elex CyberSecurity

Trust: 0.6

sources: CNNVD: CNNVD-202110-926

SOURCES

db:	CNVD	id:	CNVD-2021-80268
db:	VULHUB	id:	VHN-397681
db:	VULMON	id:	CVE-2021-38431
db:	JVNDB	id:	JVNDB-2021-013738
db:	CNNVD	id:	CNNVD-202110-926
db:	NVD	id:	CVE-2021-38431

LAST UPDATE DATE

2024-08-14T14:03:02.780000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-80268	date:	2022-01-18T00:00:00
db:	VULHUB	id:	VHN-397681	date:	2021-10-20T00:00:00
db:	VULMON	id:	CVE-2021-38431	date:	2021-10-20T00:00:00
db:	JVNDB	id:	JVNDB-2021-013738	date:	2022-09-27T05:34:00
db:	CNNVD	id:	CNNVD-202110-926	date:	2021-10-22T00:00:00
db:	NVD	id:	CVE-2021-38431	date:	2021-10-20T15:12:45.713

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-80268	date:	2021-10-26T00:00:00
db:	VULHUB	id:	VHN-397681	date:	2021-10-15T00:00:00
db:	VULMON	id:	CVE-2021-38431	date:	2021-10-15T00:00:00
db:	JVNDB	id:	JVNDB-2021-013738	date:	2022-09-27T00:00:00
db:	CNNVD	id:	CNNVD-202110-926	date:	2021-10-12T00:00:00
db:	NVD	id:	CVE-2021-38431	date:	2021-10-15T13:15:07.533