Lucene search

[email protected]CVE-2021-38410

HistoryJul 27, 2022 - 9:15 p.m.

CVE-2021-38410

2022-07-2721:15:08

CWE-427

[email protected]

web.nvd.nist.gov

aveva

software platform

common services

pcs

portal

dll hijacking

vulnerability

cve-2021-38410

nvd

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

7.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

28.8%

JSON

AVEVA Software Platform Common Services (PCS) Portal versions 4.5.2, 4.5.1, 4.5.0, and 4.4.6 are vulnerable to DLL hijacking through an uncontrolled search path element, which may allow an attacker control to one or more locations in the search path.

Affected configurations

NVD

Node

avevabatch_managementMatch2020

avevaenterprise_data_managementMatch2020

avevamanufacturing_execution_systemMatch2020

avevamobile_operatorMatch2020

avevaplatform_common_servicesMatch4.4.6

avevaplatform_common_servicesMatch4.5.0

avevaplatform_common_servicesMatch4.5.1

avevaplatform_common_servicesMatch4.5.2

avevasystem_platformMatch2020-

avevasystem_platformMatch2020r2

avevasystem_platformMatch2020r2_p01

avevawork_tasksMatch2020-

avevawork_tasksMatch2020update_1

CPENameOperatorVersion
aveva:batch_managementaveva batch managementeq2020
aveva:enterprise_data_managementaveva enterprise data managementeq2020
aveva:manufacturing_execution_systemaveva manufacturing execution systemeq2020
aveva:mobile_operatoraveva mobile operatoreq2020
aveva:platform_common_servicesaveva platform common serviceseq4.4.6
aveva:platform_common_servicesaveva platform common serviceseq4.5.0
aveva:platform_common_servicesaveva platform common serviceseq4.5.1
aveva:platform_common_servicesaveva platform common serviceseq4.5.2
aveva:system_platformaveva system platformeq2020
aveva:work_tasksaveva work taskseq2020

CPE	Name	Operator	Version
aveva:batch_management	aveva batch management	eq	2020
aveva:enterprise_data_management	aveva enterprise data management	eq	2020
aveva:manufacturing_execution_system	aveva manufacturing execution system	eq	2020
aveva:mobile_operator	aveva mobile operator	eq	2020
aveva:platform_common_services	aveva platform common services	eq	4.4.6
aveva:platform_common_services	aveva platform common services	eq	4.5.0
aveva:platform_common_services	aveva platform common services	eq	4.5.1
aveva:platform_common_services	aveva platform common services	eq	4.5.2
aveva:system_platform	aveva system platform	eq	2020
aveva:work_tasks	aveva work tasks	eq	2020

CNA Affected

[
  {
    "product": "Platform Common Services (PCS) Portal",
    "vendor": "AVEVA",
    "versions": [
      {
        "status": "affected",
        "version": "4.5.2"
      },
      {
        "status": "affected",
        "version": "4.5.1"
      },
      {
        "status": "affected",
        "version": "4.5.0"
      },
      {
        "status": "affected",
        "version": "4.4.6"
      }
    ]
  }
]

References

www.aveva.com/en/support-and-success/cyber-security-updates/

www.cisa.gov/uscert/ics/advisories/icsa-21-252-01

Social References

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

7.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

28.8%

JSON

Related for CVE-2021-38410

cvelist1 ics1 nvd1 prion1