cnvd - cnvd-2021-100377

cnvd-2021-100377

Vulnerability from cnvd

Title: SiPass integrated访问控制漏洞（CNVD-2021-100377）

Description:

SiPass integrated是一个访问控制系统。

SiPass integrated访问控制漏洞，受影响的应用程序对内部用户认证服务的访问限制不足。远程攻击者可利用该漏洞代表有效用户触发多个操作账户。

Severity: 高

Patch Name: SiPass integrated访问控制漏洞（CNVD-2021-100377）的补丁

Patch Description:

SiPass integrated是一个访问控制系统。

SiPass integrated访问控制漏洞，受影响的应用程序对内部用户认证服务的访问限制不足。远程攻击者可利用该漏洞代表有效用户触发多个操作账户。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已提供漏洞修补方案，请关注厂商主页及时更新： https://cert-portal.siemens.com/productcert/pdf/ssa-160202.pdf

Reference: https://cert-portal.siemens.com/productcert/pdf/ssa-160202.pdf

Impacted products

Name
['Siemens SiPass integrated V2.76', 'Siemens SiPass integrated V2.80', 'Siemens SiPass integrated V2.85']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-44524"
    }
  },
  "description": "SiPass integrated\u662f\u4e00\u4e2a\u8bbf\u95ee\u63a7\u5236\u7cfb\u7edf\u3002\n\nSiPass integrated\u8bbf\u95ee\u63a7\u5236\u6f0f\u6d1e\uff0c\u53d7\u5f71\u54cd\u7684\u5e94\u7528\u7a0b\u5e8f\u5bf9\u5185\u90e8\u7528\u6237\u8ba4\u8bc1\u670d\u52a1\u7684\u8bbf\u95ee\u9650\u5236\u4e0d\u8db3\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4ee3\u8868\u6709\u6548\u7528\u6237\u89e6\u53d1\u591a\u4e2a\u64cd\u4f5c\u8d26\u6237\u3002",
  "formalWay": "\u5382\u5546\u5df2\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u8865\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u53ca\u65f6\u66f4\u65b0\uff1a\r\nhttps://cert-portal.siemens.com/productcert/pdf/ssa-160202.pdf",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-100377",
  "openTime": "2021-12-15",
  "patchDescription": "SiPass integrated\u662f\u4e00\u4e2a\u8bbf\u95ee\u63a7\u5236\u7cfb\u7edf\u3002\r\n\r\nSiPass integrated\u8bbf\u95ee\u63a7\u5236\u6f0f\u6d1e\uff0c\u53d7\u5f71\u54cd\u7684\u5e94\u7528\u7a0b\u5e8f\u5bf9\u5185\u90e8\u7528\u6237\u8ba4\u8bc1\u670d\u52a1\u7684\u8bbf\u95ee\u9650\u5236\u4e0d\u8db3\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4ee3\u8868\u6709\u6548\u7528\u6237\u89e6\u53d1\u591a\u4e2a\u64cd\u4f5c\u8d26\u6237\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SiPass integrated\u8bbf\u95ee\u63a7\u5236\u6f0f\u6d1e\uff08CNVD-2021-100377\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Siemens SiPass integrated V2.76",
      "Siemens SiPass integrated V2.80",
      "Siemens SiPass integrated V2.85"
    ]
  },
  "referenceLink": "https://cert-portal.siemens.com/productcert/pdf/ssa-160202.pdf",
  "serverity": "\u9ad8",
  "submitTime": "2021-12-15",
  "title": "SiPass integrated\u8bbf\u95ee\u63a7\u5236\u6f0f\u6d1e\uff08CNVD-2021-100377\uff09"
}

CVE-2021-44524 (GCVE-0-2021-44524)

Vulnerability from cvelistv5

Published

2021-12-14 12:07

Modified

2024-08-04 04:25

Severity ?

CWE

CWE-668 - Exposure of Resource to Wrong Sphere

Summary

A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2.80 (All versions), SiPass integrated V2.85 (All versions), Siveillance Identity V1.5 (All versions), Siveillance Identity V1.6 (All versions < V1.6.284.0). Affected applications insufficiently limit the access to the internal user authentication service. This could allow an unauthenticated remote attacker to trigger several actions on behalf of valid user accounts.

References

▼	URL	Tags
	https://cert-portal.siemens.com/productcert/pdf/ssa-463116.pdf	x_refsource_MISC
	https://cert-portal.siemens.com/productcert/pdf/ssa-160202.pdf	x_refsource_MISC

Impacted products

Vendor

Product

Version

▼

Siemens

SiPass integrated V2.76

Version: All versions

Siemens	SiPass integrated V2.80	Version: All versions
Siemens	SiPass integrated V2.85	Version: All versions
Siemens	Siveillance Identity V1.5	Version: All versions
Siemens	Siveillance Identity V1.6	Version: All versions < V1.6.284.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:25:16.779Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-463116.pdf"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-160202.pdf"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SiPass integrated V2.76",
          "vendor": "Siemens",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "product": "SiPass integrated V2.80",
          "vendor": "Siemens",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "product": "SiPass integrated V2.85",
          "vendor": "Siemens",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "product": "Siveillance Identity V1.5",
          "vendor": "Siemens",
          "versions": [
            {
              "status": "affected",
              "version": "All versions"
            }
          ]
        },
        {
          "product": "Siveillance Identity V1.6",
          "vendor": "Siemens",
          "versions": [
            {
              "status": "affected",
              "version": "All versions \u003c V1.6.284.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2.80 (All versions), SiPass integrated V2.85 (All versions), Siveillance Identity V1.5 (All versions), Siveillance Identity V1.6 (All versions \u003c V1.6.284.0). Affected applications insufficiently limit the access to the internal user authentication service. This could allow an unauthenticated remote attacker to trigger several actions on behalf of valid user accounts."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-668",
              "description": "CWE-668: Exposure of Resource to Wrong Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-12-14T12:07:11",
        "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
        "shortName": "siemens"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-463116.pdf"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-160202.pdf"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "productcert@siemens.com",
          "ID": "CVE-2021-44524",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "SiPass integrated V2.76",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "SiPass integrated V2.80",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "SiPass integrated V2.85",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Siveillance Identity V1.5",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Siveillance Identity V1.6",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions \u003c V1.6.284.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Siemens"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2.80 (All versions), SiPass integrated V2.85 (All versions), Siveillance Identity V1.5 (All versions), Siveillance Identity V1.6 (All versions \u003c V1.6.284.0). Affected applications insufficiently limit the access to the internal user authentication service. This could allow an unauthenticated remote attacker to trigger several actions on behalf of valid user accounts."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-668: Exposure of Resource to Wrong Sphere"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-463116.pdf",
              "refsource": "MISC",
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-463116.pdf"
            },
            {
              "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-160202.pdf",
              "refsource": "MISC",
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-160202.pdf"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
    "assignerShortName": "siemens",
    "cveId": "CVE-2021-44524",
    "datePublished": "2021-12-14T12:07:11",
    "dateReserved": "2021-12-02T00:00:00",
    "dateUpdated": "2024-08-04T04:25:16.779Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted