CVE-2021-33000

Parsing a maliciously crafted project file may cause a heap-based buffer overflow, which may allow an attacker to perform arbitrary code execution. User interaction is required on the WebAccess HMI Designer (versions 2.1.9.95 and prior).

CVSS v3 7.8 HIGH
CVSS v2.0 6.8 MEDIUM

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://us-cert.cisa.gov/ics/advisories/icsa-21-173-01	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

cpe:2.3:a:advantech:webaccess\/hmi_designer:*:*:*:*:*:*:*:*

History

01 Jul 2021, 14:23

Type	Values Removed	Values Added
CPE	cpe:2.3:a:advantech:webaccess_hmi_designer::::::::	cpe:2.3:a:advantech:webaccess\/hmi_designer::::::::

01 Jul 2021, 12:13

Type	Values Removed	Values Added
CPE		cpe:2.3:a:advantech:webaccess_hmi_designer::::::::
CWE		CWE-787
References	~~(MISC) https://us-cert.cisa.gov/ics/advisories/icsa-21-173-01 -~~	(MISC) https://us-cert.cisa.gov/ics/advisories/icsa-21-173-01 - Third Party Advisory, US Government Resource
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 6.8 v3 : 7.8

24 Jun 2021, 19:00

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-06-24 18:15

Updated : 2023-12-10 13:55

NVD link : CVE-2021-33000

Mitre link : CVE-2021-33000

CVE.ORG link : CVE-2021-33000

JSON object : View

Products Affected

advantech

webaccess\/hmi_designer

CWE

CWE-787

Out-of-bounds Write

CWE-122

Heap-based Buffer Overflow

{"id": "CVE-2021-33000", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2021-06-24T18:15:08.540", "references": [{"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-173-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-122"}]}], "descriptions": [{"lang": "en", "value": "Parsing a maliciously crafted project file may cause a heap-based buffer overflow, which may allow an attacker to perform arbitrary code execution. User interaction is required on the WebAccess HMI Designer (versions 2.1.9.95 and prior)."}, {"lang": "es", "value": "El an\u00e1lisis de un archivo de proyecto dise\u00f1ado maliciosamente puede causar un desbordamiento del b\u00fafer en la regi\u00f3n heap de la memoria, que puede permitir a un atacante llevar a cabo una ejecuci\u00f3n de c\u00f3digo arbitraria. Es requerida una interacci\u00f3n del usuario en el WebAccess HMI Designer (versiones 2.1.9.95 y anteriores)"}], "lastModified": "2021-07-01T14:23:19.910", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:advantech:webaccess\\/hmi_designer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DC322A77-7FDB-4E68-B64B-2FD98FD75316", "versionEndIncluding": "2.1.9.95"}], "operator": "OR"}]}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}