ID

VAR-202201-0866


CVE

CVE-2021-37197


TITLE

COMOS  In  SQL  Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-002934

DESCRIPTION

A vulnerability has been identified in COMOS V10.2 (All versions only if web components are used), COMOS V10.3 (All versions < V10.3.3.3 only if web components are used), COMOS V10.4 (All versions < V10.4.1 only if web components are used). The COMOS Web component of COMOS is vulnerable to SQL injections. This could allow an attacker to execute arbitrary SQL statements. COMOS for, SQL There is an injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2021-37197 // JVNDB: JVNDB-2022-002934 // VULHUB: VHN-399028

AFFECTED PRODUCTS

vendor:siemensmodel:comosscope:gteversion:10.3

Trust: 1.0

vendor:siemensmodel:comosscope:ltversion:10.3.3.3

Trust: 1.0

vendor:siemensmodel:comosscope:lteversion:10.2

Trust: 1.0

vendor:siemensmodel:comosscope:eqversion:10.4

Trust: 1.0

vendor:シーメンスmodel:comosscope:eqversion: -

Trust: 0.8

vendor:シーメンスmodel:comosscope:eqversion:10.4 that's all 10.4.1

Trust: 0.8

vendor:シーメンスmodel:comosscope:eqversion:10.3 that's all 10.3.3.3

Trust: 0.8

vendor:シーメンスmodel:comosscope:eqversion:10.2

Trust: 0.8

sources: JVNDB: JVNDB-2022-002934 // NVD: CVE-2021-37197

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-37197
value: HIGH

Trust: 1.0

NVD: CVE-2021-37197
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202201-864
value: HIGH

Trust: 0.6

VULHUB: VHN-399028
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-37197
severity: MEDIUM
baseScore: 6.0
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.8
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-399028
severity: MEDIUM
baseScore: 6.0
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.8
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-37197
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2021-37197
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-399028 // JVNDB: JVNDB-2022-002934 // CNNVD: CNNVD-202201-864 // NVD: CVE-2021-37197

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.1

problemtype:SQL injection (CWE-89) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-399028 // JVNDB: JVNDB-2022-002934 // NVD: CVE-2021-37197

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202201-864

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202201-864

PATCH

title:SSA-995338url:https://cert-portal.siemens.com/productcert/pdf/ssa-995338.pdf

Trust: 0.8

title:Siemens Comos SQL Repair measures for injecting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=178725

Trust: 0.6

sources: JVNDB: JVNDB-2022-002934 // CNNVD: CNNVD-202201-864

EXTERNAL IDS

db:NVDid:CVE-2021-37197

Trust: 3.3

db:SIEMENSid:SSA-995338

Trust: 1.7

db:ICS CERTid:ICSA-22-013-05

Trust: 1.4

db:JVNid:JVNVU98508242

Trust: 0.8

db:JVNDBid:JVNDB-2022-002934

Trust: 0.8

db:CNNVDid:CNNVD-202201-864

Trust: 0.7

db:CS-HELPid:SB2022011801

Trust: 0.6

db:AUSCERTid:ESB-2022.0602

Trust: 0.6

db:CNVDid:CNVD-2022-02745

Trust: 0.1

db:VULHUBid:VHN-399028

Trust: 0.1

sources: VULHUB: VHN-399028 // JVNDB: JVNDB-2022-002934 // CNNVD: CNNVD-202201-864 // NVD: CVE-2021-37197

REFERENCES

url:https://cert-portal.siemens.com/productcert/pdf/ssa-995338.pdf

Trust: 1.7

url:https://jvn.jp/vu/jvnvu98508242/index.html

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2021-37197

Trust: 0.8

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-013-05

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2022011801

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-013-05

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.0602

Trust: 0.6

sources: VULHUB: VHN-399028 // JVNDB: JVNDB-2022-002934 // CNNVD: CNNVD-202201-864 // NVD: CVE-2021-37197

CREDITS

Sandro Poppi reported these vulnerabilities to Siemens.

Trust: 0.6

sources: CNNVD: CNNVD-202201-864

SOURCES

db:VULHUBid:VHN-399028
db:JVNDBid:JVNDB-2022-002934
db:CNNVDid:CNNVD-202201-864
db:NVDid:CVE-2021-37197

LAST UPDATE DATE

2024-08-14T12:58:35.024000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-399028date:2022-04-30T00:00:00
db:JVNDBid:JVNDB-2022-002934date:2023-01-31T01:34:00
db:CNNVDid:CNNVD-202201-864date:2022-05-05T00:00:00
db:NVDid:CVE-2021-37197date:2022-04-30T02:26:16.707

SOURCES RELEASE DATE

db:VULHUBid:VHN-399028date:2022-01-11T00:00:00
db:JVNDBid:JVNDB-2022-002934date:2023-01-31T00:00:00
db:CNNVDid:CNNVD-202201-864date:2022-01-11T00:00:00
db:NVDid:CVE-2021-37197date:2022-01-11T12:15:09.930