Vulnerability-Lookup

CVE-2021-33723 (GCVE-0-2021-33723)

Vulnerability from cvelistv5 – Published: 2021-10-12 09:49 – Updated: 2024-08-03 23:58

Summary

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). An authenticated attacker could change the user profile of any user without proper authorization. With this, the attacker could change the password of any user in the affected system.

Severity ?

No CVSS data available.

CWE

CWE-285 - Improper Authorization

Assigner

siemens

References

URL

	Vendor	Product	Version
	Siemens	SINEC NMS	Affected: All versions < V1.0 SP2 Update 1

GSD-2021-33723

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-33723

Aliases

CVE-2021-33723

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-33723",
    "description": "A vulnerability has been identified in SINEC NMS (All versions \u003c V1.0 SP2 Update 1). An authenticated attacker could change the user profile of any user without proper authorization. With this, the attacker could change the password of any user in the affected system.",
    "id": "GSD-2021-33723"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-33723"
      ],
      "details": "A vulnerability has been identified in SINEC NMS (All versions \u003c V1.0 SP2 Update 1). An authenticated attacker could change the user profile of any user without proper authorization. With this, the attacker could change the password of any user in the affected system.",
      "id": "GSD-2021-33723",
      "modified": "2023-12-13T01:23:18.899586Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "productcert@siemens.com",
        "ID": "CVE-2021-33723",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "SINEC NMS",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "All versions \u003c V1.0 SP2 Update 1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Siemens"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A vulnerability has been identified in SINEC NMS (All versions \u003c V1.0 SP2 Update 1). An authenticated attacker could change the user profile of any user without proper authorization. With this, the attacker could change the password of any user in the affected system."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-285: Improper Authorization"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-163251.pdf",
            "refsource": "MISC",
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-163251.pdf"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:siemens:sinec_nms:1.0:sp1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:siemens:sinec_nms:1.0:-:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:siemens:sinec_nms:1.0:sp2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:siemens:sinec_nms:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "productcert@siemens.com",
          "ID": "CVE-2021-33723"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A vulnerability has been identified in SINEC NMS (All versions \u003c V1.0 SP2 Update 1). An authenticated attacker could change the user profile of any user without proper authorization. With this, the attacker could change the password of any user in the affected system."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-Other"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-163251.pdf",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-163251.pdf"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-10-27T13:03Z",
      "publishedDate": "2021-10-12T10:15Z"
    }
  }
}

GHSA-PMR7-G2C9-7XHW

Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-10-27 19:00

Details

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-33723"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-12T10:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in SINEC NMS (All versions \u003c V1.0 SP2 Update 1). An authenticated attacker could change the user profile of any user without proper authorization. With this, the attacker could change the password of any user in the affected system.",
  "id": "GHSA-pmr7-g2c9-7xhw",
  "modified": "2022-10-27T19:00:39Z",
  "published": "2022-05-24T19:17:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33723"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-163251.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

CNVD-2021-77590

Vulnerability from cnvd - Published: 2021-10-15

Title

Siemens SINEC NMS用户配置文件更改漏洞

Description

SINEC NMS是Siemens推出的用于监控和管理工业网络的网络管理系统。 SINEC NMS 1.0 SP2 Update 1之前版本存在用户配置文件更改漏洞。攻击者可利用该漏洞在未经适当授权的情况下更改任何用户的用户配置文件，从而可更改受影响系统中任何用户的密码。

Severity

高

Patch Name

Siemens SINEC NMS用户配置文件更改漏洞的补丁

Patch Description

SINEC NMS是Siemens推出的用于监控和管理工业网络的网络管理系统。 SINEC NMS 1.0 SP2 Update 1之前版本存在用户配置文件更改漏洞。攻击者可利用该漏洞在未经适当授权的情况下更改任何用户的用户配置文件，从而可更改受影响系统中任何用户的密码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://cert-portal.siemens.com/productcert/pdf/ssa-163251.pdf

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-33723

Impacted products

Name
Siemens SINEC NMS <1.0 SP2 Update 1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-33723",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-33723"
    }
  },
  "description": "SINEC NMS\u662fSiemens\u63a8\u51fa\u7684\u7528\u4e8e\u76d1\u63a7\u548c\u7ba1\u7406\u5de5\u4e1a\u7f51\u7edc\u7684\u7f51\u7edc\u7ba1\u7406\u7cfb\u7edf\u3002\n\nSINEC NMS 1.0 SP2 Update 1\u4e4b\u524d\u7248\u672c\u5b58\u5728\u7528\u6237\u914d\u7f6e\u6587\u4ef6\u66f4\u6539\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u672a\u7ecf\u9002\u5f53\u6388\u6743\u7684\u60c5\u51b5\u4e0b\u66f4\u6539\u4efb\u4f55\u7528\u6237\u7684\u7528\u6237\u914d\u7f6e\u6587\u4ef6\uff0c\u4ece\u800c\u53ef\u66f4\u6539\u53d7\u5f71\u54cd\u7cfb\u7edf\u4e2d\u4efb\u4f55\u7528\u6237\u7684\u5bc6\u7801\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://cert-portal.siemens.com/productcert/pdf/ssa-163251.pdf",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-77590",
  "openTime": "2021-10-15",
  "patchDescription": "SINEC NMS\u662fSiemens\u63a8\u51fa\u7684\u7528\u4e8e\u76d1\u63a7\u548c\u7ba1\u7406\u5de5\u4e1a\u7f51\u7edc\u7684\u7f51\u7edc\u7ba1\u7406\u7cfb\u7edf\u3002\r\n\r\nSINEC NMS 1.0 SP2 Update 1\u4e4b\u524d\u7248\u672c\u5b58\u5728\u7528\u6237\u914d\u7f6e\u6587\u4ef6\u66f4\u6539\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u672a\u7ecf\u9002\u5f53\u6388\u6743\u7684\u60c5\u51b5\u4e0b\u66f4\u6539\u4efb\u4f55\u7528\u6237\u7684\u7528\u6237\u914d\u7f6e\u6587\u4ef6\uff0c\u4ece\u800c\u53ef\u66f4\u6539\u53d7\u5f71\u54cd\u7cfb\u7edf\u4e2d\u4efb\u4f55\u7528\u6237\u7684\u5bc6\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Siemens SINEC NMS\u7528\u6237\u914d\u7f6e\u6587\u4ef6\u66f4\u6539\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Siemens SINEC NMS \u003c1.0 SP2 Update 1"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-33723",
  "serverity": "\u9ad8",
  "submitTime": "2021-10-13",
  "title": "Siemens SINEC NMS\u7528\u6237\u914d\u7f6e\u6587\u4ef6\u66f4\u6539\u6f0f\u6d1e"
}

CERTFR-2021-AVI-774

Vulnerability from certfr_avis - Published: 2021-10-12 - Updated: 2021-10-12

De multiples vulnérabilités ont été découvertes dans les produits Siemens. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité, une atteinte à l'intégrité des données et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Siemens	N/A	SCALANCE W1750D
Siemens	N/A	SINUMERIK 828D
Siemens	N/A	SIMATIC Process Historian 2014
Siemens	N/A	SIMATIC Process Historian 2013 and earlier
Siemens	N/A	RUGGEDCOM ROX MX5000, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, RX5000 versions antérieures à 2.14.1
Siemens	N/A	SINEC NMS versions antérieures à V1.0 SP2 Update 1
Siemens	N/A	SIMATIC Process Historian 2020
Siemens	N/A	SIMATIC Process Historian 2019
Siemens	N/A	SINUMERIK 808D

References

Title

Publication Time

Tags

Bulletin de sécurité Siemens ssa-163251 du 12 octobre 2021	None	vendor-advisory
Bulletin de sécurité Siemens ssa-766247 du 12 octobre 2021	None	vendor-advisory
Bulletin de sécurité Siemens ssa-173565 du 12 octobre 2021	None	vendor-advisory
Bulletin de sécurité Siemens ssa-280624 du 12 octobre 2021	None	vendor-advisory
Bulletin de sécurité Siemens ssa-178380 du 12 octobre 2021	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "SCALANCE W1750D",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SINUMERIK 828D",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SIMATIC Process Historian 2014",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SIMATIC Process Historian 2013 and earlier",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "RUGGEDCOM ROX MX5000, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, RX5000 versions ant\u00e9rieures \u00e0 2.14.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SINEC NMS versions ant\u00e9rieures \u00e0 V1.0 SP2 Update 1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SIMATIC Process Historian 2020",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SIMATIC Process Historian 2019",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SINUMERIK 808D",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-33724",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-33724"
    },
    {
      "name": "CVE-2021-33736",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-33736"
    },
    {
      "name": "CVE-2021-37721",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37721"
    },
    {
      "name": "CVE-2021-37723",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37723"
    },
    {
      "name": "CVE-2021-33732",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-33732"
    },
    {
      "name": "CVE-2021-33725",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-33725"
    },
    {
      "name": "CVE-2021-37728",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37728"
    },
    {
      "name": "CVE-2021-37731",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37731"
    },
    {
      "name": "CVE-2021-37724",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37724"
    },
    {
      "name": "CVE-2021-37199",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37199"
    },
    {
      "name": "CVE-2021-33729",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-33729"
    },
    {
      "name": "CVE-2021-33728",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-33728"
    },
    {
      "name": "CVE-2021-37722",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37722"
    },
    {
      "name": "CVE-2021-37720",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37720"
    },
    {
      "name": "CVE-2021-33722",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-33722"
    },
    {
      "name": "CVE-2021-33734",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-33734"
    },
    {
      "name": "CVE-2019-5318",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-5318"
    },
    {
      "name": "CVE-2021-33730",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-33730"
    },
    {
      "name": "CVE-2020-37719",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-37719"
    },
    {
      "name": "CVE-2021-27395",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-27395"
    },
    {
      "name": "CVE-2021-37718",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37718"
    },
    {
      "name": "CVE-2021-33735",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-33735"
    },
    {
      "name": "CVE-2021-33733",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-33733"
    },
    {
      "name": "CVE-2021-33731",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-33731"
    },
    {
      "name": "CVE-2021-33727",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-33727"
    },
    {
      "name": "CVE-2021-33723",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-33723"
    },
    {
      "name": "CVE-2021-37725",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37725"
    },
    {
      "name": "CVE-2021-37729",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37729"
    },
    {
      "name": "CVE-2021-37717",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37717"
    },
    {
      "name": "CVE-2021-37733",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37733"
    },
    {
      "name": "CVE-2021-33726",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-33726"
    },
    {
      "name": "CVE-2021-37716",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37716"
    },
    {
      "name": "CVE-2021-41546",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-41546"
    }
  ],
  "initial_release_date": "2021-10-12T00:00:00",
  "last_revision_date": "2021-10-12T00:00:00",
  "links": [],
  "reference": "CERTFR-2021-AVI-774",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-10-12T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSiemens. Elles permettent \u00e0 un attaquant de provoquer un contournement\nde la politique de s\u00e9curit\u00e9, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et\nune atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Siemens",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-163251 du 12 octobre 2021",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-163251.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-766247 du 12 octobre 2021",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-766247.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-173565 du 12 octobre 2021",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-173565.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-280624 du 12 octobre 2021",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-280624.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-178380 du 12 octobre 2021",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-178380.pdf"
    }
  ]
}

FKIE_CVE-2021-33723

Vulnerability from fkie_nvd - Published: 2021-10-12 10:15 - Updated: 2024-11-21 06:09

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Summary

References

	URL	Tags
	productcert@siemens.com	https://cert-portal.siemens.com/productcert/pdf/ssa-163251.pdf	Patch, Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://cert-portal.siemens.com/productcert/pdf/ssa-163251.pdf	Patch, Vendor Advisory

Impacted products

Vendor	Product	Version
siemens	sinec_nms	*
siemens	sinec_nms	1.0
siemens	sinec_nms	1.0
siemens	sinec_nms	1.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:siemens:sinec_nms:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2B59D696-F272-40DA-8DC6-423D9E5026C0",
              "versionEndExcluding": "1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:siemens:sinec_nms:1.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "4ED13FC8-63C0-42C6-A51C-C480C45327C2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:siemens:sinec_nms:1.0:sp1:*:*:*:*:*:*",
              "matchCriteriaId": "E68FE047-8F53-46B8-82D4-9342B1C8CA55",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:siemens:sinec_nms:1.0:sp2:*:*:*:*:*:*",
              "matchCriteriaId": "5F2C66EC-5A29-4B92-AEDB-7DB8A5CA7391",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability has been identified in SINEC NMS (All versions \u003c V1.0 SP2 Update 1). An authenticated attacker could change the user profile of any user without proper authorization. With this, the attacker could change the password of any user in the affected system."
    },
    {
      "lang": "es",
      "value": "Se ha identificado una vulnerabilidad en SINEC NMS (Todas las versiones anteriores a V1.0 SP2 Update 1). Un atacante autenticado podr\u00eda cambiar el perfil de usuario de cualquier usuario sin la debida autorizaci\u00f3n. Con esto, el atacante podr\u00eda cambiar la contrase\u00f1a de cualquier usuario en el sistema afectado"
    }
  ],
  "id": "CVE-2021-33723",
  "lastModified": "2024-11-21T06:09:27.063",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-10-12T10:15:11.767",
  "references": [
    {
      "source": "productcert@siemens.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-163251.pdf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-163251.pdf"
    }
  ],
  "sourceIdentifier": "productcert@siemens.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-285"
        }
      ],
      "source": "productcert@siemens.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-33723 (GCVE-0-2021-33723)

GSD-2021-33723

GHSA-PMR7-G2C9-7XHW

CNVD-2021-77590

CERTFR-2021-AVI-774

Solution

FKIE_CVE-2021-33723

Tags

Sightings

Nomenclature