Details of VAR-202201-0393

ID

VAR-202201-0393

CVE

CVE-2021-39369

TITLE

Philips Vue MyVue PACS Past traversal vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-003715

DESCRIPTION

In Philips (formerly Carestream) Vue MyVue PACS through 12.2.x.x, the VideoStream function allows Path Traversal by authenticated users to access files stored outside of the web root. Philips Vue MyVue PACS Exists in a past traversal vulnerability.Information may be obtained

Trust: 1.8

sources: NVD: CVE-2021-39369 // JVNDB: JVNDB-2022-003715 // VULHUB: VHN-400846 // VULMON: CVE-2021-39369

AFFECTED PRODUCTS

vendor:	philips	model:	myvue	scope:	eq	version:	-	Trust: 1.0
vendor:	philips	model:	vue motion	scope:	lte	version:	12.2.1.5	Trust: 1.0
vendor:	philips	model:	speech	scope:	eq	version:	-	Trust: 1.0
vendor:	philips	model:	vue pacs	scope:	eq	version:	-	Trust: 1.0
vendor:	フィリップス	model:	vue myvue	scope:	-	version:	-	Trust: 0.8
vendor:	フィリップス	model:	vue speech	scope:	-	version:	-	Trust: 0.8
vendor:	フィリップス	model:	vue pacs	scope:	-	version:	-	Trust: 0.8
vendor:	フィリップス	model:	vue motion	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-003715 // NVD: CVE-2021-39369

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-39369
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-39369
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202201-1790
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2021-39369
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2021-39369
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-003715 // CNNVD: CNNVD-202201-1790 // NVD: CVE-2021-39369

PROBLEMTYPE DATA

problemtype:	CWE-22	Trust: 1.1
problemtype:	Path traversal (CWE-22) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-400846 // JVNDB: JVNDB-2022-003715 // NVD: CVE-2021-39369

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202201-1790

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-202201-1790

PATCH

title:	Advancing Digital Health Technology	url:	https://www.usa.philips.com/healthcare	Trust: 0.8
title:	Philips Vue PACS Security vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=179118	Trust: 0.6

sources: JVNDB: JVNDB-2022-003715 // CNNVD: CNNVD-202201-1790

EXTERNAL IDS

db:	NVD	id:	CVE-2021-39369	Trust: 3.4
db:	ICS CERT	id:	ICSMA-21-187-01	Trust: 2.6
db:	JVN	id:	JVNVU96012689	Trust: 0.8
db:	JVNDB	id:	JVNDB-2022-003715	Trust: 0.8
db:	CNNVD	id:	CNNVD-202201-1790	Trust: 0.6
db:	VULHUB	id:	VHN-400846	Trust: 0.1
db:	VULMON	id:	CVE-2021-39369	Trust: 0.1

sources: VULHUB: VHN-400846 // VULMON: CVE-2021-39369 // JVNDB: JVNDB-2022-003715 // CNNVD: CNNVD-202201-1790 // NVD: CVE-2021-39369

REFERENCES

url:	https://www.youtube.com/watch?v=7zc84tnpixw	Trust: 2.6
url:	https://www.cisa.gov/uscert/ics/advisories/icsma-21-187-01	Trust: 1.9
url:	https://www.usa.philips.com/healthcare	Trust: 1.8
url:	https://jvn.jp/vu/jvnvu96012689/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-39369	Trust: 0.8
url:	https://www.cisa.gov/news-events/ics-medical-advisories/icsma-21-187-01	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2021-39369/	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsma-21-187-01	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-400846 // VULMON: CVE-2021-39369 // JVNDB: JVNDB-2022-003715 // CNNVD: CNNVD-202201-1790 // NVD: CVE-2021-39369

CREDITS

Antonio Kulhanek reported CVE-2021-39369 to Philips. Philips reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202201-1790

SOURCES

db:	VULHUB	id:	VHN-400846
db:	VULMON	id:	CVE-2021-39369
db:	JVNDB	id:	JVNDB-2022-003715
db:	CNNVD	id:	CNNVD-202201-1790
db:	NVD	id:	CVE-2021-39369

LAST UPDATE DATE

2024-08-14T12:13:39.648000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-400846	date:	2023-01-05T00:00:00
db:	VULMON	id:	CVE-2021-39369	date:	2022-12-26T00:00:00
db:	JVNDB	id:	JVNDB-2022-003715	date:	2023-03-06T06:36:00
db:	CNNVD	id:	CNNVD-202201-1790	date:	2023-01-06T00:00:00
db:	NVD	id:	CVE-2021-39369	date:	2023-01-05T04:49:19.460

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-400846	date:	2022-12-26T00:00:00
db:	VULMON	id:	CVE-2021-39369	date:	2022-12-26T00:00:00
db:	JVNDB	id:	JVNDB-2022-003715	date:	2023-03-06T00:00:00
db:	CNNVD	id:	CNNVD-202201-1790	date:	2022-01-20T00:00:00
db:	NVD	id:	CVE-2021-39369	date:	2022-12-26T06:15:10.617