Details of VAR-202112-0785

ID

VAR-202112-0785

CVE

CVE-2021-44523

TITLE

SiPass integrated and Siveillance Identity Vulnerability in leaking resources to the wrong area in

Trust: 0.8

sources: JVNDB: JVNDB-2021-016370

DESCRIPTION

A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2.80 (All versions), SiPass integrated V2.85 (All versions), Siveillance Identity V1.5 (All versions), Siveillance Identity V1.6 (All versions < V1.6.284.0). Affected applications insufficiently limit the access to the internal activity feed database. This could allow an unauthenticated remote attacker to read, modify or delete activity feed entries. SiPass integrated and Siveillance Identity Exists in a vulnerability related to the leakage of resources to the wrong area.Information may be obtained and information may be tampered with. SiPass integrated is an access control system

Trust: 2.25

sources: NVD: CVE-2021-44523 // JVNDB: JVNDB-2021-016370 // CNVD: CNVD-2021-100378 // VULHUB: VHN-407754

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-100378

AFFECTED PRODUCTS

vendor:	siemens	model:	siveillance identity	scope:	gte	version:	1.6	Trust: 1.0
vendor:	siemens	model:	sipass integrated	scope:	eq	version:	2.85	Trust: 1.0
vendor:	siemens	model:	sipass integrated	scope:	eq	version:	2.80	Trust: 1.0
vendor:	siemens	model:	sipass integrated	scope:	eq	version:	2.76	Trust: 1.0
vendor:	siemens	model:	siveillance identity	scope:	eq	version:	1.5	Trust: 1.0
vendor:	siemens	model:	siveillance identity	scope:	lte	version:	1.6.280.0	Trust: 1.0
vendor:	シーメンス	model:	sipass integrated	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	siveillance identity	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	sipass integrated	scope:	eq	version:	v2.76	Trust: 0.6
vendor:	siemens	model:	sipass integrated	scope:	eq	version:	v2.80	Trust: 0.6
vendor:	siemens	model:	sipass integrated	scope:	eq	version:	v2.85	Trust: 0.6

sources: CNVD: CNVD-2021-100378 // JVNDB: JVNDB-2021-016370 // NVD: CVE-2021-44523

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-44523
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2021-44523
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2021-100378
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202112-1235
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-407754
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-44523
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2021-100378
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-407754
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-44523
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	5.2
version:	3.1
Trust: 1.0
NVD:	CVE-2021-44523
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-100378 // VULHUB: VHN-407754 // JVNDB: JVNDB-2021-016370 // CNNVD: CNNVD-202112-1235 // NVD: CVE-2021-44523

PROBLEMTYPE DATA

problemtype:	CWE-668	Trust: 1.1
problemtype:	Leakage of resources to the wrong area (CWE-668) [ others ]	Trust: 0.8

sources: VULHUB: VHN-407754 // JVNDB: JVNDB-2021-016370 // NVD: CVE-2021-44523

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202112-1235

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202112-1235

PATCH

title:	SSA-160202 Siemens Security Advisory	url:	https://cert-portal.siemens.com/productcert/pdf/ssa-160202.pdf	Trust: 0.8
title:	Patch for SiPass integrated Access Control Vulnerability (CNVD-2021-100378)	url:	https://www.cnvd.org.cn/patchInfo/show/306226	Trust: 0.6
title:	Siemens SiPass Integrated and Siveillance Identity Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=175715	Trust: 0.6

sources: CNVD: CNVD-2021-100378 // JVNDB: JVNDB-2021-016370 // CNNVD: CNNVD-202112-1235

EXTERNAL IDS

db:	NVD	id:	CVE-2021-44523	Trust: 3.9
db:	SIEMENS	id:	SSA-160202	Trust: 2.3
db:	SIEMENS	id:	SSA-463116	Trust: 1.7
db:	ICS CERT	id:	ICSA-21-350-14	Trust: 1.4
db:	JVN	id:	JVNVU96592426	Trust: 0.8
db:	ICS CERT	id:	ICSA-21-350-19	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-016370	Trust: 0.8
db:	CNVD	id:	CNVD-2021-100378	Trust: 0.6
db:	CS-HELP	id:	SB2022010612	Trust: 0.6
db:	CNNVD	id:	CNNVD-202112-1235	Trust: 0.6
db:	VULHUB	id:	VHN-407754	Trust: 0.1

sources: CNVD: CNVD-2021-100378 // VULHUB: VHN-407754 // JVNDB: JVNDB-2021-016370 // CNNVD: CNNVD-202112-1235 // NVD: CVE-2021-44523

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-160202.pdf	Trust: 2.3
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-463116.pdf	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-44523	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu96592426/	Trust: 0.8
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-21-350-14	Trust: 0.8
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-21-350-19	Trust: 0.8
url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-350-14	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022010612	Trust: 0.6

sources: CNVD: CNVD-2021-100378 // VULHUB: VHN-407754 // JVNDB: JVNDB-2021-016370 // CNNVD: CNNVD-202112-1235 // NVD: CVE-2021-44523

CREDITS

Siemens reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202112-1235

SOURCES

db:	CNVD	id:	CNVD-2021-100378
db:	VULHUB	id:	VHN-407754
db:	JVNDB	id:	JVNDB-2021-016370
db:	CNNVD	id:	CNNVD-202112-1235
db:	NVD	id:	CVE-2021-44523

LAST UPDATE DATE

2024-08-14T12:13:50.258000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-100378	date:	2022-01-26T00:00:00
db:	VULHUB	id:	VHN-407754	date:	2021-12-17T00:00:00
db:	JVNDB	id:	JVNDB-2021-016370	date:	2022-12-13T08:15:00
db:	CNNVD	id:	CNNVD-202112-1235	date:	2022-01-07T00:00:00
db:	NVD	id:	CVE-2021-44523	date:	2021-12-17T13:22:45.933

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-100378	date:	2021-12-15T00:00:00
db:	VULHUB	id:	VHN-407754	date:	2021-12-14T00:00:00
db:	JVNDB	id:	JVNDB-2021-016370	date:	2022-12-13T00:00:00
db:	CNNVD	id:	CNNVD-202112-1235	date:	2021-12-14T00:00:00
db:	NVD	id:	CVE-2021-44523	date:	2021-12-14T12:15:12.077