Lucene search

TR-CERTCVELIST:CVE-2021-44793

HistoryJan 27, 2022 - 12:27 p.m.

CVE-2021-44793 Information Leakege via Unauthorized Access in Single Connect

2022-01-2712:27:13

CWE-862

TR-CERT

www.cve.org

single connect

authorization check

remote attacker

device configuration

data export

sensitive information

database credentials

command execution

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

AI Score

8.7

Confidence

High

EPSS

0.003

Percentile

66.1%

JSON

Single Connect does not perform an authorization check when using the sc-reports-ui" module. A remote attacker could exploit this vulnerability to access the device configuration page and export the data to an external file. The exploitation of this vulnerability might allow a remote attacker to obtain sensitive information including the database credentials. Since the database runs with high privileges it is possible to execute commands with the attained credentials.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Single Connect",
    "vendor": "Kron",
    "versions": [
      {
        "lessThan": "2.16",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

www.usom.gov.tr/bildirim/tr-22-0093

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

AI Score

8.7

Confidence

High

EPSS

0.003

Percentile

66.1%

JSON

Related for CVELIST:CVE-2021-44793