Lucene search

IcscertCVELIST:CVE-2021-44477

HistoryMar 25, 2022 - 6:02 p.m.

CVE-2021-44477 GE Gas Power ToolBoxST Improper Restriction of XML External Entity Reference

2022-03-2518:02:29

CWE-611

icscert

www.cve.org

ge gas power toolboxst

xml external entity

xxe

vulnerability

dtd parameter entities

oob attack

xml parser

sanitization

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

57.5%

JSON

GE Gas Power ToolBoxST Version v04.07.05C suffers from an XML external entity (XXE) vulnerability using the DTD parameter entities technique that could result in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project/template file.

CNA Affected

[
  {
    "product": "ToolBoxST",
    "vendor": "GE Gas Power",
    "versions": [
      {
        "lessThan": "07.09.07C",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

www.cisa.gov/uscert/ics/advisories/icsa-22-025-01

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

57.5%

JSON

Related for CVELIST:CVE-2021-44477