CVE-2021-42796

An issue was discovered in ExecuteCommand() in AVEVA Edge (formerly InduSoft Web Studio) versions R2020 and prior that allows unauthenticated arbitrary commands to be executed.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.aveva.com/en/products/edge/	Product
https://www.cisa.gov/news-events/ics-advisories/icsa-22-326-01	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:aveva:edge::::::::
	cpe:2.3:a:aveva:edge:2020:-::::::
	cpe:2.3:a:aveva:edge:2020:r2:-:::::*
	cpe:2.3:a:aveva:edge:2020:r2:sp1:::::*

History

20 Dec 2023, 17:32

Type	Values Removed	Values Added
CWE		NVD-CWE-Other
CPE		cpe:2.3:a:aveva:edge:2020:r2:-:::::* cpe:2.3:a:aveva:edge:2020:r2:sp1:::::* cpe:2.3:a:aveva:edge:::::::: cpe:2.3:a:aveva:edge:2020:-::::::
Summary		(es) Se descubrió un problema en ExecuteCommand() en las versiones R2020 y anteriores de AVEVA Edge (anteriormente InduSoft Web Studio) que permite ejecutar comandos arbitrarios no autenticados.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Aveva Aveva edge
References	~~() https://www.aveva.com/en/products/edge/ -~~	() https://www.aveva.com/en/products/edge/ - Product
References	~~() https://www.cisa.gov/news-events/ics-advisories/icsa-22-326-01 -~~	() https://www.cisa.gov/news-events/ics-advisories/icsa-22-326-01 - Third Party Advisory, US Government Resource

16 Dec 2023, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-16 01:15

Updated : 2023-12-20 17:32

NVD link : CVE-2021-42796

Mitre link : CVE-2021-42796

CVE.ORG link : CVE-2021-42796

JSON object : View

Products Affected

aveva

edge

CWE

NVD-CWE-Other

9.8 /10