CVE-2021-32985

AVEVA System Platform versions 2017 through 2020 R2 P01 does not properly verify that the source of data or communication is valid.

CVSS v3 7.2 HIGH
CVSS v2.0 6.5 MEDIUM

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-002.pdf	Vendor Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-21-180-05	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:aveva:system_platform::::::::
	cpe:2.3:a:aveva:system_platform:2020:-::::::
	cpe:2.3:a:aveva:system_platform:2020:r2::::::
	cpe:2.3:a:aveva:system_platform:2020:r2_p01::::::

History

13 Apr 2022, 12:49

Type	Values Removed	Values Added
CPE		cpe:2.3:a:aveva:system_platform:2020:r2:::::: cpe:2.3:a:aveva:system_platform:2020:-:::::: cpe:2.3:a:aveva:system_platform:::::::: cpe:2.3:a:aveva:system_platform:2020:r2_p01::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 6.5 v3 : 7.2
First Time		Aveva Aveva system Platform
CWE		CWE-346
References	~~(CONFIRM) https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-002.pdf -~~	(CONFIRM) https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-002.pdf - Vendor Advisory
References	~~(CONFIRM) https://www.cisa.gov/uscert/ics/advisories/icsa-21-180-05 -~~	(CONFIRM) https://www.cisa.gov/uscert/ics/advisories/icsa-21-180-05 - Third Party Advisory, US Government Resource

04 Apr 2022, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-04-04 20:15

Updated : 2023-12-10 14:22

NVD link : CVE-2021-32985

Mitre link : CVE-2021-32985

CVE.ORG link : CVE-2021-32985

JSON object : View

Products Affected

aveva

system_platform

CWE

CWE-346

Origin Validation Error

{"id": "CVE-2021-32985", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2022-04-04T20:15:09.150", "references": [{"url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-002.pdf", "tags": ["Vendor Advisory"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-180-05", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-346"}]}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-346"}]}], "descriptions": [{"lang": "en", "value": "AVEVA System Platform versions 2017 through 2020 R2 P01 does not properly verify that the source of data or communication is valid."}, {"lang": "es", "value": "AVEVA System Platform versiones 2017 hasta 2020 R2 P01, no comprueba correctamente que la fuente de datos o comunicaci\u00f3n sea v\u00e1lida"}], "lastModified": "2022-04-13T12:49:59.053", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:aveva:system_platform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E409D0B9-25EB-4591-9838-CED70D51925B", "versionEndExcluding": "2020", "versionStartIncluding": "2017"}, {"criteria": "cpe:2.3:a:aveva:system_platform:2020:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D47F4B07-B67F-4855-AED2-D17B0E76FA8A"}, {"criteria": "cpe:2.3:a:aveva:system_platform:2020:r2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1ED7E9C7-B882-4F57-B796-59A4F90EE185"}, {"criteria": "cpe:2.3:a:aveva:system_platform:2020:r2_p01:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "33D5FF9C-590D-4BA3-A265-35956E4F36DF"}], "operator": "OR"}]}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}