Lucene search

IcscertCVELIST:CVE-2021-27424

HistoryMar 23, 2022 - 7:46 p.m.

CVE-2021-27424 GE UR family exposure of sensitive information to an unauthorized actor

2022-03-2319:46:25

CWE-200

icscert

www.cve.org

cve-2021-27424

ge ur

sensitive information

unauthorized access

modbus

firmware vulnerability

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.7

Confidence

High

EPSS

0.001

Percentile

32.2%

JSON

GE UR firmware versions prior to version 8.1x shares MODBUS memory map as part of the communications guide. GE was made aware a “Last-key pressed” MODBUS register can be used to gain unauthorized information.

CNA Affected

[
  {
    "product": "UR family",
    "vendor": "GE",
    "versions": [
      {
        "lessThan": "8.1x",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

www.cisa.gov/uscert/ics/advisories/icsa-21-075-02

www.gegridsolutions.com/Passport/Login.aspx

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.7

Confidence

High

EPSS

0.001

Percentile

32.2%

JSON

Related for CVELIST:CVE-2021-27424