Lucene search

IcscertCVELIST:CVE-2021-27428

HistoryMar 23, 2022 - 7:46 p.m.

CVE-2021-27428 GE UR family Unrestricted Upload of File with Dangerous Type

2022-03-2319:46:25

CWE-434

icscert

www.cve.org

cve-2021-27428

ge ur

unrestricted upload

dangerous file

firmware upgrade

enervista ur setup

illegitimate user

firmware version 8.10

information security

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.002

Percentile

59.5%

JSON

GE UR IED firmware versions prior to version 8.1x supports upgrading firmware using UR Setup configuration tool – Enervista UR Setup. This UR Setup tool validates the authenticity and integrity of firmware file before uploading the UR IED. An illegitimate user could upgrade firmware without appropriate privileges. The weakness is assessed, and mitigation is implemented in firmware Version 8.10.

CNA Affected

[
  {
    "product": "UR family",
    "vendor": "GE",
    "versions": [
      {
        "lessThan": "8.1x",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

www.cisa.gov/uscert/ics/advisories/icsa-21-075-02

www.gegridsolutions.com/Passport/Login.aspx

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.002

Percentile

59.5%

JSON

Related for CVELIST:CVE-2021-27428