Lucene search

[email protected]CVE-2021-43935

HistoryDec 15, 2021 - 7:15 p.m.

CVE-2021-43935

2021-12-1519:15:15

CWE-288

CWE-287

[email protected]

web.nvd.nist.gov

cve-2021-43935

sso

authentication

vulnerability

access

privileges

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

57.1%

JSON

The impacted products, when configured to use SSO, are affected by an improper authentication vulnerability. This vulnerability allows the application to accept manual entry of any active directory (AD) account provisioned in the application without supplying a password, resulting in access to the application as the supplied AD account, with all associated privileges.

Affected configurations

NVD

Node

baxterwelch_allyn_connex_cardioRange1.0.0–1.1.1

baxterwelch_allyn_diagnostic_cardiology_suiteMatch2.1.0

baxterwelch_allyn_rscribe_resting_ecg_systemRange5.01–7.0.0

baxterwelch_allyn_vision_express_holter_analysis_systemRange6.1.0–6.4.0

Node

baxterwelch_allyn_hscribe_holter_analysis_system_firmwareRange5.01–6.4.0

AND

baxterwelch_allyn_hscribe_holter_analysis_systemMatch-

Node

baxterwelch_allyn_q-stress_cardiac_stress_testing_system_firmwareRange6.0.0–6.3.1

AND

baxterwelch_allyn_q-stress_cardiac_stress_testing_systemMatch-

Node

baxterwelch_allyn_xscribe_cardiac_stress_testing_system_firmwareRange5.01–6.3.1

AND

baxterwelch_allyn_xscribe_cardiac_stress_testing_systemMatch-

CPENameOperatorVersion
baxter:welch_allyn_connex_cardiobaxter welch allyn connex cardiole1.1.1
baxter:welch_allyn_diagnostic_cardiology_suitebaxter welch allyn diagnostic cardiology suiteeq2.1.0
baxter:welch_allyn_rscribe_resting_ecg_systembaxter welch allyn rscribe resting ecg systemle7.0.0
baxter:welch_allyn_vision_express_holter_analysis_systembaxter welch allyn vision express holter analysis systemle6.4.0

CPE	Name	Operator	Version
baxter:welch_allyn_connex_cardio	baxter welch allyn connex cardio	le	1.1.1
baxter:welch_allyn_diagnostic_cardiology_suite	baxter welch allyn diagnostic cardiology suite	eq	2.1.0
baxter:welch_allyn_rscribe_resting_ecg_system	baxter welch allyn rscribe resting ecg system	le	7.0.0
baxter:welch_allyn_vision_express_holter_analysis_system	baxter welch allyn vision express holter analysis system	le	6.4.0

CNA Affected

[
  {
    "product": "Welch Allyn Q-Stress Cardiac Stress Testing System",
    "vendor": "Hillrom",
    "versions": [
      {
        "lessThanOrEqual": "6.3.1",
        "status": "affected",
        "version": "6.0.0",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Welch Allyn X-Scribe Cardiac Stress Testing System",
    "vendor": "Hillrom",
    "versions": [
      {
        "lessThanOrEqual": "6.3.1",
        "status": "affected",
        "version": "5.01",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Welch Allyn Diagnostic Cardiology Suite",
    "vendor": "Hillrom",
    "versions": [
      {
        "status": "affected",
        "version": "2.1.0"
      }
    ]
  },
  {
    "product": "Welch Allyn Vision Express",
    "vendor": "Hillrom",
    "versions": [
      {
        "lessThanOrEqual": "6.4.0",
        "status": "affected",
        "version": "6.1.0",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Welch Allyn H-Scribe Holter Analysis System",
    "vendor": "Hillrom",
    "versions": [
      {
        "lessThanOrEqual": "6.4.0",
        "status": "affected",
        "version": "5.01",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Welch Allyn R-Scribe Resting ECG System",
    "vendor": "Hillrom",
    "versions": [
      {
        "lessThanOrEqual": "7.0.0",
        "status": "affected",
        "version": "5.01",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Welch Allyn Connex Cardio",
    "vendor": "Hillrom",
    "versions": [
      {
        "lessThanOrEqual": "1.1.1",
        "status": "affected",
        "version": "1.0.0",
        "versionType": "custom"
      }
    ]
  }
]

References

www.cisa.gov/uscert/ics/advisories/icsma-21-343-01

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

57.1%

JSON

Related for CVE-2021-43935

nvd1 cvelist1 ics1 prion1