cvelistv5 - cve-2021-38402

cve-2021-38402

Vulnerability from cvelistv5

Published

2021-09-17 18:54

Modified

2025-04-23 19:27

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

References

▼	URL	Tags
	ics-cert@hq.dhs.gov	https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02	Third Party Advisory, US Government Resource
	af854a3a-2127-422b-91ae-364da2661108	https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02	Third Party Advisory, US Government Resource

Impacted products

	Vendor	Product	Version
	Delta Electronics	DOPSoft 2	Version: unspecified <

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T01:37:16.542Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02",
               },
            ],
            title: "CVE Program Container",
         },
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2021-38402",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "total",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2025-04-23T13:16:44.645908Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2025-04-23T19:27:44.541Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               product: "DOPSoft 2",
               vendor: "Delta Electronics",
               versions: [
                  {
                     lessThanOrEqual: "2.00.07",
                     status: "affected",
                     version: "unspecified",
                     versionType: "custom",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               value: "kimiya, working with Trend Micro’s Zero Day Initiative",
            },
         ],
         datePublic: "2021-09-09T00:00:00.000Z",
         descriptions: [
            {
               lang: "en",
               value: "Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could lead to a stack-based buffer overflow while trying to copy to a buffer during font string handling. An attacker could leverage this vulnerability to execute code in the context of the current process.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "LOCAL",
                  availabilityImpact: "HIGH",
                  baseScore: 7.8,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-121",
                     description: "CWE-121 Stack-based Buffer Overflow",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2021-09-17T18:54:37.000Z",
            orgId: "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            shortName: "icscert",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02",
            },
         ],
         solutions: [
            {
               lang: "en",
               value: "DOPSoft 2 will not receive an update to mitigate these vulnerabilities because it is an end-of-life product. Delta Electronics recommends users to switch to the replacement software when available",
            },
         ],
         source: {
            advisory: "ICSA-21-252-02",
            discovery: "UNKNOWN",
         },
         title: "Delta Electronics DOPSoft 2 Stack-Based Buffer Overflow",
         x_generator: {
            engine: "Vulnogram 0.0.9",
         },
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "ics-cert@hq.dhs.gov",
               DATE_PUBLIC: "2021-09-09T14:34:00.000Z",
               ID: "CVE-2021-38402",
               STATE: "PUBLIC",
               TITLE: "Delta Electronics DOPSoft 2 Stack-Based Buffer Overflow",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "DOPSoft 2",
                                 version: {
                                    version_data: [
                                       {
                                          version_affected: "<=",
                                          version_value: "2.00.07",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "Delta Electronics",
                     },
                  ],
               },
            },
            credit: [
               {
                  lang: "eng",
                  value: "kimiya, working with Trend Micro’s Zero Day Initiative",
               },
            ],
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could lead to a stack-based buffer overflow while trying to copy to a buffer during font string handling. An attacker could leverage this vulnerability to execute code in the context of the current process.",
                  },
               ],
            },
            generator: {
               engine: "Vulnogram 0.0.9",
            },
            impact: {
               cvss: {
                  attackComplexity: "LOW",
                  attackVector: "LOCAL",
                  availabilityImpact: "HIGH",
                  baseScore: 7.8,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "CWE-121 Stack-based Buffer Overflow",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02",
                     refsource: "MISC",
                     url: "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02",
                  },
               ],
            },
            solution: [
               {
                  lang: "en",
                  value: "DOPSoft 2 will not receive an update to mitigate these vulnerabilities because it is an end-of-life product. Delta Electronics recommends users to switch to the replacement software when available",
               },
            ],
            source: {
               advisory: "ICSA-21-252-02",
               discovery: "UNKNOWN",
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
      assignerShortName: "icscert",
      cveId: "CVE-2021-38402",
      datePublished: "2021-09-17T18:54:37.590Z",
      dateReserved: "2021-08-10T00:00:00.000Z",
      dateUpdated: "2025-04-23T19:27:44.541Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2021-38402\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2021-09-17T19:15:08.570\",\"lastModified\":\"2024-11-21T06:17:00.567\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could lead to a stack-based buffer overflow while trying to copy to a buffer during font string handling. An attacker could leverage this vulnerability to execute code in the context of the current process.\"},{\"lang\":\"es\",\"value\":\"Delta Electronic DOPSoft 2 (versiones 2.00.07 y anteriores), no comprueba apropiadamente los datos suministrados por el usuario cuando analiza archivos de proyecto específicos. Esto podría conllevar a un desbordamiento del búfer en la región stack de la memoria mientras se intenta copiar en un búfer durante el manejo de la cadena de fuentes. Un atacante podría aprovechar esta vulnerabilidad para ejecutar código en el contexto del proceso actual\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-121\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:deltaww:dopsoft:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.00\",\"versionEndIncluding\":\"2.00.07\",\"matchCriteriaId\":\"B5964F12-0B63-4F7B-AF5D-AB8035660CE2\"}]}]}],\"references\":[{\"url\":\"https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T01:37:16.542Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-38402\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T13:16:44.645908Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-23T13:16:46.052Z\"}}], \"cna\": {\"title\": \"Delta Electronics DOPSoft 2 Stack-Based Buffer Overflow\", \"source\": {\"advisory\": \"ICSA-21-252-02\", \"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"value\": \"kimiya, working with Trend Micro\\u2019s Zero Day Initiative\"}], \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Delta Electronics\", \"product\": \"DOPSoft 2\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"2.00.07\"}]}], \"solutions\": [{\"lang\": \"en\", \"value\": \"DOPSoft 2 will not receive an update to mitigate these vulnerabilities because it is an end-of-life product. Delta Electronics recommends users to switch to the replacement software when available\"}], \"datePublic\": \"2021-09-09T00:00:00.000Z\", \"references\": [{\"url\": \"https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02\", \"tags\": [\"x_refsource_MISC\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could lead to a stack-based buffer overflow while trying to copy to a buffer during font string handling. An attacker could leverage this vulnerability to execute code in the context of the current process.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-121\", \"description\": \"CWE-121 Stack-based Buffer Overflow\"}]}], \"providerMetadata\": {\"orgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"shortName\": \"icscert\", \"dateUpdated\": \"2021-09-17T18:54:37.000Z\"}, \"x_legacyV4Record\": {\"credit\": [{\"lang\": \"eng\", \"value\": \"kimiya, working with Trend Micro\\u2019s Zero Day Initiative\"}], \"impact\": {\"cvss\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, \"source\": {\"advisory\": \"ICSA-21-252-02\", \"discovery\": \"UNKNOWN\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"2.00.07\", \"version_affected\": \"<=\"}]}, \"product_name\": \"DOPSoft 2\"}]}, \"vendor_name\": \"Delta Electronics\"}]}}, \"solution\": [{\"lang\": \"en\", \"value\": \"DOPSoft 2 will not receive an update to mitigate these vulnerabilities because it is an end-of-life product. Delta Electronics recommends users to switch to the replacement software when available\"}], \"data_type\": \"CVE\", \"generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"references\": {\"reference_data\": [{\"url\": \"https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02\", \"name\": \"https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02\", \"refsource\": \"MISC\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could lead to a stack-based buffer overflow while trying to copy to a buffer during font string handling. An attacker could leverage this vulnerability to execute code in the context of the current process.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-121 Stack-based Buffer Overflow\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2021-38402\", \"STATE\": \"PUBLIC\", \"TITLE\": \"Delta Electronics DOPSoft 2 Stack-Based Buffer Overflow\", \"ASSIGNER\": \"ics-cert@hq.dhs.gov\", \"DATE_PUBLIC\": \"2021-09-09T14:34:00.000Z\"}}}}",
         cveMetadata: "{\"cveId\": \"CVE-2021-38402\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-23T19:27:44.541Z\", \"dateReserved\": \"2021-08-10T00:00:00.000Z\", \"assignerOrgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"datePublished\": \"2021-09-17T18:54:37.590Z\", \"assignerShortName\": \"icscert\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}

fkie_cve-2021-38402

Vulnerability from fkie_nvd

Published

2021-09-17 19:15

Modified

2024-11-21 06:17

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

References

▼	URL	Tags
	ics-cert@hq.dhs.gov	https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02	Third Party Advisory, US Government Resource
	af854a3a-2127-422b-91ae-364da2661108	https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02	Third Party Advisory, US Government Resource

Impacted products

	Vendor	Product	Version
	deltaww	dopsoft	*

JSON

To clipboard

{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:deltaww:dopsoft:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "B5964F12-0B63-4F7B-AF5D-AB8035660CE2",
                     versionEndIncluding: "2.00.07",
                     versionStartIncluding: "2.00",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could lead to a stack-based buffer overflow while trying to copy to a buffer during font string handling. An attacker could leverage this vulnerability to execute code in the context of the current process.",
      },
      {
         lang: "es",
         value: "Delta Electronic DOPSoft 2 (versiones 2.00.07 y anteriores), no comprueba apropiadamente los datos suministrados por el usuario cuando analiza archivos de proyecto específicos. Esto podría conllevar a un desbordamiento del búfer en la región stack de la memoria mientras se intenta copiar en un búfer durante el manejo de la cadena de fuentes. Un atacante podría aprovechar esta vulnerabilidad para ejecutar código en el contexto del proceso actual",
      },
   ],
   id: "CVE-2021-38402",
   lastModified: "2024-11-21T06:17:00.567",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "MEDIUM",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "PARTIAL",
               baseScore: 6.8,
               confidentialityImpact: "PARTIAL",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P",
               version: "2.0",
            },
            exploitabilityScore: 8.6,
            impactScore: 6.4,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: true,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "LOCAL",
               availabilityImpact: "HIGH",
               baseScore: 7.8,
               baseSeverity: "HIGH",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 1.8,
            impactScore: 5.9,
            source: "ics-cert@hq.dhs.gov",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "LOCAL",
               availabilityImpact: "HIGH",
               baseScore: 7.8,
               baseSeverity: "HIGH",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 1.8,
            impactScore: 5.9,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2021-09-17T19:15:08.570",
   references: [
      {
         source: "ics-cert@hq.dhs.gov",
         tags: [
            "Third Party Advisory",
            "US Government Resource",
         ],
         url: "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
            "US Government Resource",
         ],
         url: "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02",
      },
   ],
   sourceIdentifier: "ics-cert@hq.dhs.gov",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-121",
            },
         ],
         source: "ics-cert@hq.dhs.gov",
         type: "Primary",
      },
   ],
}

ICSA-21-252-02

Vulnerability from csaf_cisa

Published

2021-09-09 00:00

Modified

2021-09-09 00:00

Summary

Delta Electronics DOPSoft 2 (Update A)

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Risk evaluation

Successful exploitation of these vulnerabilities may allow arbitrary code execution.

Critical infrastructure sectors

Critical Manufacturing

Countries/areas deployed

Worldwide

Company headquarters location

Taiwan

Recommended Practices

CISA recommends users take the following measures to protect themselves from social engineering attacks:

Recommended Practices

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

Exploitability

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.

JSON

To clipboard

{
   document: {
      acknowledgments: [
         {
            names: [
               "kimiya",
            ],
            organization: "Trend Micro 's Zero Day Initiative",
            summary: "reporting these vulnerabilities to CISA",
         },
      ],
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Disclosure is not limited",
         tlp: {
            label: "WHITE",
            url: "https://us-cert.cisa.gov/tlp/",
         },
      },
      lang: "en-US",
      notes: [
         {
            category: "general",
            text: "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
            title: "CISA Disclaimer",
         },
         {
            category: "legal_disclaimer",
            text: "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
            title: "Legal Notice",
         },
         {
            category: "summary",
            text: "Successful exploitation of these vulnerabilities may allow arbitrary code execution.",
            title: "Risk evaluation",
         },
         {
            category: "other",
            text: "Critical Manufacturing",
            title: "Critical infrastructure sectors",
         },
         {
            category: "other",
            text: "Worldwide",
            title: "Countries/areas deployed",
         },
         {
            category: "other",
            text: "Taiwan",
            title: "Company headquarters location",
         },
         {
            category: "general",
            text: "CISA recommends users take the following measures to protect themselves from social engineering attacks:",
            title: "Recommended Practices",
         },
         {
            category: "general",
            text: "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
            title: "Recommended Practices",
         },
         {
            category: "general",
            text: "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.",
            title: "Recommended Practices",
         },
         {
            category: "other",
            text: "No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.",
            title: "Exploitability",
         },
      ],
      publisher: {
         category: "coordinator",
         contact_details: "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
         name: "CISA",
         namespace: "https://www.cisa.gov/",
      },
      references: [
         {
            category: "self",
            summary: "ICS Advisory ICSA-21-252-02 JSON",
            url: "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2021/icsa-21-252-02.json",
         },
         {
            category: "self",
            summary: "ICS Advisory ICSA-21-252-02 Web Version",
            url: "https://www.cisa.gov/news-events/ics-advisories/icsa-21-252-02",
         },
         {
            category: "external",
            summary: "Recommended Practices",
            url: "https://us-cert.cisa.gov/ncas/tips/ST04-014",
         },
         {
            category: "external",
            summary: "Recommended Practices",
            url: "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf",
         },
         {
            category: "external",
            summary: "Recommended Practices",
            url: "https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B",
         },
      ],
      title: "Delta Electronics DOPSoft 2 (Update A)",
      tracking: {
         current_release_date: "2021-09-09T00:00:00.000000Z",
         generator: {
            engine: {
               name: "CISA CSAF Generator",
               version: "1.0.0",
            },
         },
         id: "ICSA-21-252-02",
         initial_release_date: "2021-09-09T00:00:00.000000Z",
         revision_history: [
            {
               date: "2021-09-09T00:00:00.000000Z",
               legacy_version: "Initial",
               number: "1",
               summary: "ICSA-21-252-02 Delta Electronics DOPSoft 2",
            },
         ],
         status: "final",
         version: "1",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version_range",
                        name: "<= 2.00.07",
                        product: {
                           name: "DOPSoft 2: Version 2.00.07 and prior",
                           product_id: "CSAFPID-0001",
                        },
                     },
                  ],
                  category: "product_name",
                  name: "DOPSoft 2",
               },
            ],
            category: "vendor",
            name: "Delta Electronics",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2021-38402",
         cwe: {
            id: "CWE-121",
            name: "Stack-based Buffer Overflow",
         },
         notes: [
            {
               category: "summary",
               text: "The affected application lacks proper validation of user-supplied data when parsing specific project files. This could lead to a stack-based buffer overflow while trying to copy to a buffer during font string handling. An attacker could leverage this vulnerability to execute code in the context of the current process. CVE-2021-38402 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).",
               title: "Vulnerability Summary",
            },
         ],
         product_status: {
            known_affected: [
               "CSAFPID-0001",
            ],
         },
         references: [
            {
               category: "external",
               summary: "web.nvd.nist.gov",
               url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38402",
            },
            {
               category: "external",
               summary: "www.first.org",
               url: "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "DOPSoft 2 will not receive an update to mitigate these vulnerabilities because it is an end-of-life product. Delta Electronics recommends users switch HMI devices to the DOP-100 family and then switch the software to DIAScreen in DIAStudio v1.1.2 (or later) (login required).",
               product_ids: [
                  "CSAFPID-0001",
               ],
               url: "https://diastudio.deltaww.com/home/downloads?sec=download#catalog",
            },
            {
               category: "vendor_fix",
               details: "DOPSoft 2 will not receive an update to mitigate these vulnerabilities because it is an end-of-life product. Delta Electronics recommends users to switch to the replacement software when available.",
               product_ids: [
                  "CSAFPID-0001",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 7.8,
                  baseSeverity: "HIGH",
                  vectorString: "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  version: "3.0",
               },
               products: [
                  "CSAFPID-0001",
               ],
            },
         ],
      },
      {
         cve: "CVE-2021-38406",
         cwe: {
            id: "CWE-787",
            name: "Out-of-bounds Write",
         },
         notes: [
            {
               category: "summary",
               text: "The affected application lacks proper validation of user-supplied data when parsing specific project files. This could result in multiple out-of-bounds write instances. An attacker could leverage this vulnerability to execute code in the context of the current process. CVE-2021-38406 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).",
               title: "Vulnerability Summary",
            },
         ],
         product_status: {
            known_affected: [
               "CSAFPID-0001",
            ],
         },
         references: [
            {
               category: "external",
               summary: "web.nvd.nist.gov",
               url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38406",
            },
            {
               category: "external",
               summary: "www.first.org",
               url: "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "DOPSoft 2 will not receive an update to mitigate these vulnerabilities because it is an end-of-life product. Delta Electronics recommends users switch HMI devices to the DOP-100 family and then switch the software to DIAScreen in DIAStudio v1.1.2 (or later) (login required).",
               product_ids: [
                  "CSAFPID-0001",
               ],
               url: "https://diastudio.deltaww.com/home/downloads?sec=download#catalog",
            },
            {
               category: "vendor_fix",
               details: "DOPSoft 2 will not receive an update to mitigate these vulnerabilities because it is an end-of-life product. Delta Electronics recommends users to switch to the replacement software when available.",
               product_ids: [
                  "CSAFPID-0001",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 7.8,
                  baseSeverity: "HIGH",
                  vectorString: "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  version: "3.0",
               },
               products: [
                  "CSAFPID-0001",
               ],
            },
         ],
      },
      {
         cve: "CVE-2021-38404",
         cwe: {
            id: "CWE-122",
            name: "Heap-based Buffer Overflow",
         },
         notes: [
            {
               category: "summary",
               text: "The affected application lacks proper validation of user-supplied data when parsing specific project files. This could result in a heap-based buffer overflow. An attacker could leverage this vulnerability to execute code in the context of the current process. CVE-2021-38404 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).",
               title: "Vulnerability Summary",
            },
         ],
         product_status: {
            known_affected: [
               "CSAFPID-0001",
            ],
         },
         references: [
            {
               category: "external",
               summary: "web.nvd.nist.gov",
               url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38404",
            },
            {
               category: "external",
               summary: "www.first.org",
               url: "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "DOPSoft 2 will not receive an update to mitigate these vulnerabilities because it is an end-of-life product. Delta Electronics recommends users switch HMI devices to the DOP-100 family and then switch the software to DIAScreen in DIAStudio v1.1.2 (or later) (login required).",
               product_ids: [
                  "CSAFPID-0001",
               ],
               url: "https://diastudio.deltaww.com/home/downloads?sec=download#catalog",
            },
            {
               category: "vendor_fix",
               details: "DOPSoft 2 will not receive an update to mitigate these vulnerabilities because it is an end-of-life product. Delta Electronics recommends users to switch to the replacement software when available.",
               product_ids: [
                  "CSAFPID-0001",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 7.8,
                  baseSeverity: "HIGH",
                  vectorString: "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  version: "3.0",
               },
               products: [
                  "CSAFPID-0001",
               ],
            },
         ],
      },
   ],
}

icsa-21-252-02

Vulnerability from csaf_cisa

Published

2021-09-09 00:00

Modified

2021-09-09 00:00

Summary

Delta Electronics DOPSoft 2 (Update A)

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

Risk evaluation

Successful exploitation of these vulnerabilities may allow arbitrary code execution.

Critical infrastructure sectors

Critical Manufacturing

Countries/areas deployed

Worldwide

Company headquarters location

Taiwan

Recommended Practices

CISA recommends users take the following measures to protect themselves from social engineering attacks:

Recommended Practices

Exploitability

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.

JSON

To clipboard

{
   document: {
      acknowledgments: [
         {
            names: [
               "kimiya",
            ],
            organization: "Trend Micro 's Zero Day Initiative",
            summary: "reporting these vulnerabilities to CISA",
         },
      ],
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Disclosure is not limited",
         tlp: {
            label: "WHITE",
            url: "https://us-cert.cisa.gov/tlp/",
         },
      },
      lang: "en-US",
      notes: [
         {
            category: "general",
            text: "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
            title: "CISA Disclaimer",
         },
         {
            category: "legal_disclaimer",
            text: "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
            title: "Legal Notice",
         },
         {
            category: "summary",
            text: "Successful exploitation of these vulnerabilities may allow arbitrary code execution.",
            title: "Risk evaluation",
         },
         {
            category: "other",
            text: "Critical Manufacturing",
            title: "Critical infrastructure sectors",
         },
         {
            category: "other",
            text: "Worldwide",
            title: "Countries/areas deployed",
         },
         {
            category: "other",
            text: "Taiwan",
            title: "Company headquarters location",
         },
         {
            category: "general",
            text: "CISA recommends users take the following measures to protect themselves from social engineering attacks:",
            title: "Recommended Practices",
         },
         {
            category: "general",
            text: "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
            title: "Recommended Practices",
         },
         {
            category: "general",
            text: "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.",
            title: "Recommended Practices",
         },
         {
            category: "other",
            text: "No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.",
            title: "Exploitability",
         },
      ],
      publisher: {
         category: "coordinator",
         contact_details: "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
         name: "CISA",
         namespace: "https://www.cisa.gov/",
      },
      references: [
         {
            category: "self",
            summary: "ICS Advisory ICSA-21-252-02 JSON",
            url: "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2021/icsa-21-252-02.json",
         },
         {
            category: "self",
            summary: "ICS Advisory ICSA-21-252-02 Web Version",
            url: "https://www.cisa.gov/news-events/ics-advisories/icsa-21-252-02",
         },
         {
            category: "external",
            summary: "Recommended Practices",
            url: "https://us-cert.cisa.gov/ncas/tips/ST04-014",
         },
         {
            category: "external",
            summary: "Recommended Practices",
            url: "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf",
         },
         {
            category: "external",
            summary: "Recommended Practices",
            url: "https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B",
         },
      ],
      title: "Delta Electronics DOPSoft 2 (Update A)",
      tracking: {
         current_release_date: "2021-09-09T00:00:00.000000Z",
         generator: {
            engine: {
               name: "CISA CSAF Generator",
               version: "1.0.0",
            },
         },
         id: "ICSA-21-252-02",
         initial_release_date: "2021-09-09T00:00:00.000000Z",
         revision_history: [
            {
               date: "2021-09-09T00:00:00.000000Z",
               legacy_version: "Initial",
               number: "1",
               summary: "ICSA-21-252-02 Delta Electronics DOPSoft 2",
            },
         ],
         status: "final",
         version: "1",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version_range",
                        name: "<= 2.00.07",
                        product: {
                           name: "DOPSoft 2: Version 2.00.07 and prior",
                           product_id: "CSAFPID-0001",
                        },
                     },
                  ],
                  category: "product_name",
                  name: "DOPSoft 2",
               },
            ],
            category: "vendor",
            name: "Delta Electronics",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2021-38402",
         cwe: {
            id: "CWE-121",
            name: "Stack-based Buffer Overflow",
         },
         notes: [
            {
               category: "summary",
               text: "The affected application lacks proper validation of user-supplied data when parsing specific project files. This could lead to a stack-based buffer overflow while trying to copy to a buffer during font string handling. An attacker could leverage this vulnerability to execute code in the context of the current process. CVE-2021-38402 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).",
               title: "Vulnerability Summary",
            },
         ],
         product_status: {
            known_affected: [
               "CSAFPID-0001",
            ],
         },
         references: [
            {
               category: "external",
               summary: "web.nvd.nist.gov",
               url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38402",
            },
            {
               category: "external",
               summary: "www.first.org",
               url: "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "DOPSoft 2 will not receive an update to mitigate these vulnerabilities because it is an end-of-life product. Delta Electronics recommends users switch HMI devices to the DOP-100 family and then switch the software to DIAScreen in DIAStudio v1.1.2 (or later) (login required).",
               product_ids: [
                  "CSAFPID-0001",
               ],
               url: "https://diastudio.deltaww.com/home/downloads?sec=download#catalog",
            },
            {
               category: "vendor_fix",
               details: "DOPSoft 2 will not receive an update to mitigate these vulnerabilities because it is an end-of-life product. Delta Electronics recommends users to switch to the replacement software when available.",
               product_ids: [
                  "CSAFPID-0001",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 7.8,
                  baseSeverity: "HIGH",
                  vectorString: "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  version: "3.0",
               },
               products: [
                  "CSAFPID-0001",
               ],
            },
         ],
      },
      {
         cve: "CVE-2021-38406",
         cwe: {
            id: "CWE-787",
            name: "Out-of-bounds Write",
         },
         notes: [
            {
               category: "summary",
               text: "The affected application lacks proper validation of user-supplied data when parsing specific project files. This could result in multiple out-of-bounds write instances. An attacker could leverage this vulnerability to execute code in the context of the current process. CVE-2021-38406 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).",
               title: "Vulnerability Summary",
            },
         ],
         product_status: {
            known_affected: [
               "CSAFPID-0001",
            ],
         },
         references: [
            {
               category: "external",
               summary: "web.nvd.nist.gov",
               url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38406",
            },
            {
               category: "external",
               summary: "www.first.org",
               url: "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "DOPSoft 2 will not receive an update to mitigate these vulnerabilities because it is an end-of-life product. Delta Electronics recommends users switch HMI devices to the DOP-100 family and then switch the software to DIAScreen in DIAStudio v1.1.2 (or later) (login required).",
               product_ids: [
                  "CSAFPID-0001",
               ],
               url: "https://diastudio.deltaww.com/home/downloads?sec=download#catalog",
            },
            {
               category: "vendor_fix",
               details: "DOPSoft 2 will not receive an update to mitigate these vulnerabilities because it is an end-of-life product. Delta Electronics recommends users to switch to the replacement software when available.",
               product_ids: [
                  "CSAFPID-0001",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 7.8,
                  baseSeverity: "HIGH",
                  vectorString: "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  version: "3.0",
               },
               products: [
                  "CSAFPID-0001",
               ],
            },
         ],
      },
      {
         cve: "CVE-2021-38404",
         cwe: {
            id: "CWE-122",
            name: "Heap-based Buffer Overflow",
         },
         notes: [
            {
               category: "summary",
               text: "The affected application lacks proper validation of user-supplied data when parsing specific project files. This could result in a heap-based buffer overflow. An attacker could leverage this vulnerability to execute code in the context of the current process. CVE-2021-38404 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).",
               title: "Vulnerability Summary",
            },
         ],
         product_status: {
            known_affected: [
               "CSAFPID-0001",
            ],
         },
         references: [
            {
               category: "external",
               summary: "web.nvd.nist.gov",
               url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38404",
            },
            {
               category: "external",
               summary: "www.first.org",
               url: "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "DOPSoft 2 will not receive an update to mitigate these vulnerabilities because it is an end-of-life product. Delta Electronics recommends users switch HMI devices to the DOP-100 family and then switch the software to DIAScreen in DIAStudio v1.1.2 (or later) (login required).",
               product_ids: [
                  "CSAFPID-0001",
               ],
               url: "https://diastudio.deltaww.com/home/downloads?sec=download#catalog",
            },
            {
               category: "vendor_fix",
               details: "DOPSoft 2 will not receive an update to mitigate these vulnerabilities because it is an end-of-life product. Delta Electronics recommends users to switch to the replacement software when available.",
               product_ids: [
                  "CSAFPID-0001",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 7.8,
                  baseSeverity: "HIGH",
                  vectorString: "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  version: "3.0",
               },
               products: [
                  "CSAFPID-0001",
               ],
            },
         ],
      },
   ],
}

gsd-2021-38402

Vulnerability from gsd

Modified

2023-12-13 01:23

Details

Aliases

CVE-2021-38402

Aliases

CVE-2021-38402

JSON

To clipboard

{
   GSD: {
      alias: "CVE-2021-38402",
      description: "Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could lead to a stack-based buffer overflow while trying to copy to a buffer during font string handling. An attacker could leverage this vulnerability to execute code in the context of the current process.",
      id: "GSD-2021-38402",
   },
   gsd: {
      metadata: {
         exploitCode: "unknown",
         remediation: "unknown",
         reportConfidence: "confirmed",
         type: "vulnerability",
      },
      osvSchema: {
         aliases: [
            "CVE-2021-38402",
         ],
         details: "Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could lead to a stack-based buffer overflow while trying to copy to a buffer during font string handling. An attacker could leverage this vulnerability to execute code in the context of the current process.",
         id: "GSD-2021-38402",
         modified: "2023-12-13T01:23:17.922850Z",
         schema_version: "1.4.0",
      },
   },
   namespaces: {
      "cve.org": {
         CVE_data_meta: {
            ASSIGNER: "ics-cert@hq.dhs.gov",
            DATE_PUBLIC: "2021-09-09T14:34:00.000Z",
            ID: "CVE-2021-38402",
            STATE: "PUBLIC",
            TITLE: "Delta Electronics DOPSoft 2 Stack-Based Buffer Overflow",
         },
         affects: {
            vendor: {
               vendor_data: [
                  {
                     product: {
                        product_data: [
                           {
                              product_name: "DOPSoft 2",
                              version: {
                                 version_data: [
                                    {
                                       version_affected: "<=",
                                       version_value: "2.00.07",
                                    },
                                 ],
                              },
                           },
                        ],
                     },
                     vendor_name: "Delta Electronics",
                  },
               ],
            },
         },
         credit: [
            {
               lang: "eng",
               value: "kimiya, working with Trend Micro’s Zero Day Initiative",
            },
         ],
         data_format: "MITRE",
         data_type: "CVE",
         data_version: "4.0",
         description: {
            description_data: [
               {
                  lang: "eng",
                  value: "Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could lead to a stack-based buffer overflow while trying to copy to a buffer during font string handling. An attacker could leverage this vulnerability to execute code in the context of the current process.",
               },
            ],
         },
         generator: {
            engine: "Vulnogram 0.0.9",
         },
         impact: {
            cvss: {
               attackComplexity: "LOW",
               attackVector: "LOCAL",
               availabilityImpact: "HIGH",
               baseScore: 7.8,
               baseSeverity: "HIGH",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
               version: "3.1",
            },
         },
         problemtype: {
            problemtype_data: [
               {
                  description: [
                     {
                        lang: "eng",
                        value: "CWE-121 Stack-based Buffer Overflow",
                     },
                  ],
               },
            ],
         },
         references: {
            reference_data: [
               {
                  name: "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02",
                  refsource: "MISC",
                  url: "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02",
               },
            ],
         },
         solution: [
            {
               lang: "eng",
               value: "DOPSoft 2 will not receive an update to mitigate these vulnerabilities because it is an end-of-life product. Delta Electronics recommends users to switch to the replacement software when available",
            },
         ],
         source: {
            advisory: "ICSA-21-252-02",
            discovery: "UNKNOWN",
         },
      },
      "nvd.nist.gov": {
         configurations: {
            CVE_data_version: "4.0",
            nodes: [
               {
                  children: [],
                  cpe_match: [
                     {
                        cpe23Uri: "cpe:2.3:a:deltaww:dopsoft:*:*:*:*:*:*:*:*",
                        cpe_name: [],
                        versionEndIncluding: "2.00.07",
                        versionStartIncluding: "2.00",
                        vulnerable: true,
                     },
                  ],
                  operator: "OR",
               },
            ],
         },
         cve: {
            CVE_data_meta: {
               ASSIGNER: "ics-cert@hq.dhs.gov",
               ID: "CVE-2021-38402",
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "en",
                     value: "Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could lead to a stack-based buffer overflow while trying to copy to a buffer during font string handling. An attacker could leverage this vulnerability to execute code in the context of the current process.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "en",
                           value: "CWE-121",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02",
                     refsource: "MISC",
                     tags: [
                        "Third Party Advisory",
                        "US Government Resource",
                     ],
                     url: "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02",
                  },
               ],
            },
         },
         impact: {
            baseMetricV2: {
               acInsufInfo: false,
               cvssV2: {
                  accessComplexity: "MEDIUM",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  availabilityImpact: "PARTIAL",
                  baseScore: 6.8,
                  confidentialityImpact: "PARTIAL",
                  integrityImpact: "PARTIAL",
                  vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P",
                  version: "2.0",
               },
               exploitabilityScore: 8.6,
               impactScore: 6.4,
               obtainAllPrivilege: false,
               obtainOtherPrivilege: false,
               obtainUserPrivilege: false,
               severity: "MEDIUM",
               userInteractionRequired: true,
            },
            baseMetricV3: {
               cvssV3: {
                  attackComplexity: "LOW",
                  attackVector: "LOCAL",
                  availabilityImpact: "HIGH",
                  baseScore: 7.8,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               exploitabilityScore: 1.8,
               impactScore: 5.9,
            },
         },
         lastModifiedDate: "2021-10-04T18:11Z",
         publishedDate: "2021-09-17T19:15Z",
      },
   },
}

ghsa-pmhq-p9q2-mpcv

Vulnerability from github

Published

2022-05-24 19:14

Modified

2022-05-24 19:14

Details

Show details on source website

JSON

To clipboard

{
   affected: [],
   aliases: [
      "CVE-2021-38402",
   ],
   database_specific: {
      cwe_ids: [
         "CWE-121",
      ],
      github_reviewed: false,
      github_reviewed_at: null,
      nvd_published_at: "2021-09-17T19:15:00Z",
      severity: "HIGH",
   },
   details: "Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could lead to a stack-based buffer overflow while trying to copy to a buffer during font string handling. An attacker could leverage this vulnerability to execute code in the context of the current process.",
   id: "GHSA-pmhq-p9q2-mpcv",
   modified: "2022-05-24T19:14:54Z",
   published: "2022-05-24T19:14:54Z",
   references: [
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2021-38402",
      },
      {
         type: "WEB",
         url: "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02",
      },
   ],
   schema_version: "1.4.0",
   severity: [],
}

var-202109-1253

Vulnerability from variot

Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could lead to a stack-based buffer overflow while trying to copy to a buffer during font string handling. An attacker could leverage this vulnerability to execute code in the context of the current process. Delta Electronics Provided by the company DOPSoft 2 The following multiple vulnerabilities exist in. * Stack-based buffer overflow ( CWE-121 ) - CVE-2021-38402 ‥ * Out-of-bounds writing ( CWE-787 ) - CVE-2021-38406 ‥ * Heap-based buffer overflow ( CWE-122 ) - CVE-2021-38404When loading a specially crafted project file, malicious code is executed with the privileges of the process in which the product runs. Delta Electronics DOPSoft is a set of Human-Machine Interface (HMI) software of Taiwan Delta Electronics (Delta Electronics). Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Show details on source website

JSON

To clipboard

{
   "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
      affected_products: {
         "@id": "https://www.variotdbs.pl/ref/affected_products",
      },
      configurations: {
         "@id": "https://www.variotdbs.pl/ref/configurations",
      },
      credits: {
         "@id": "https://www.variotdbs.pl/ref/credits",
      },
      cvss: {
         "@id": "https://www.variotdbs.pl/ref/cvss/",
      },
      description: {
         "@id": "https://www.variotdbs.pl/ref/description/",
      },
      exploit_availability: {
         "@id": "https://www.variotdbs.pl/ref/exploit_availability/",
      },
      external_ids: {
         "@id": "https://www.variotdbs.pl/ref/external_ids/",
      },
      iot: {
         "@id": "https://www.variotdbs.pl/ref/iot/",
      },
      iot_taxonomy: {
         "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/",
      },
      patch: {
         "@id": "https://www.variotdbs.pl/ref/patch/",
      },
      problemtype_data: {
         "@id": "https://www.variotdbs.pl/ref/problemtype_data/",
      },
      references: {
         "@id": "https://www.variotdbs.pl/ref/references/",
      },
      sources: {
         "@id": "https://www.variotdbs.pl/ref/sources/",
      },
      sources_release_date: {
         "@id": "https://www.variotdbs.pl/ref/sources_release_date/",
      },
      sources_update_date: {
         "@id": "https://www.variotdbs.pl/ref/sources_update_date/",
      },
      threat_type: {
         "@id": "https://www.variotdbs.pl/ref/threat_type/",
      },
      title: {
         "@id": "https://www.variotdbs.pl/ref/title/",
      },
      type: {
         "@id": "https://www.variotdbs.pl/ref/type/",
      },
   },
   "@id": "https://www.variotdbs.pl/vuln/VAR-202109-1253",
   affected_products: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
            "@id": "https://www.variotdbs.pl/ref/sources",
         },
      },
      data: [
         {
            model: "dopsoft",
            scope: "lte",
            trust: 1,
            vendor: "deltaww",
            version: "2.00.07",
         },
         {
            model: "dopsoft",
            scope: "gte",
            trust: 1,
            vendor: "deltaww",
            version: "2.00",
         },
         {
            model: "dopsoft 2",
            scope: "lte",
            trust: 0.8,
            vendor: "delta",
            version: "2.00.07  and earlier",
         },
         {
            model: "dopsoft 2",
            scope: "eq",
            trust: 0.8,
            vendor: "delta",
            version: null,
         },
         {
            model: "electronics dopsoft",
            scope: "eq",
            trust: 0.6,
            vendor: "delta",
            version: "2<=2.00.07",
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2021-70156",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2021-002380",
         },
         {
            db: "NVD",
            id: "CVE-2021-38402",
         },
      ],
   },
   credits: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/credits#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "reported these vulnerabilities to CISA.,kimiya, working with Trend Micro’s Zero Day Initiative",
      sources: [
         {
            db: "CNNVD",
            id: "CNNVD-202109-529",
         },
      ],
      trust: 0.6,
   },
   cve: "CVE-2021-38402",
   cvss: {
      "@context": {
         cvssV2: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2",
         },
         cvssV3: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/",
         },
         severity: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/cvss/severity#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
            "@id": "https://www.variotdbs.pl/ref/sources",
         },
      },
      data: [
         {
            cvssV2: [
               {
                  accessComplexity: "MEDIUM",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  author: "nvd@nist.gov",
                  availabilityImpact: "PARTIAL",
                  baseScore: 6.8,
                  confidentialityImpact: "PARTIAL",
                  exploitabilityScore: 8.6,
                  id: "CVE-2021-38402",
                  impactScore: 6.4,
                  integrityImpact: "PARTIAL",
                  severity: "MEDIUM",
                  trust: 1.1,
                  vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P",
                  version: "2.0",
               },
               {
                  accessComplexity: "LOW",
                  accessVector: "LOCAL",
                  authentication: "NONE",
                  author: "CNVD",
                  availabilityImpact: "COMPLETE",
                  baseScore: 7.2,
                  confidentialityImpact: "COMPLETE",
                  exploitabilityScore: 3.9,
                  id: "CNVD-2021-70156",
                  impactScore: 10,
                  integrityImpact: "COMPLETE",
                  severity: "HIGH",
                  trust: 0.6,
                  vectorString: "AV:L/AC:L/Au:N/C:C/I:C/A:C",
                  version: "2.0",
               },
            ],
            cvssV3: [
               {
                  attackComplexity: "LOW",
                  attackVector: "LOCAL",
                  author: "nvd@nist.gov",
                  availabilityImpact: "HIGH",
                  baseScore: 7.8,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  exploitabilityScore: 1.8,
                  id: "CVE-2021-38402",
                  impactScore: 5.9,
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  trust: 2,
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               {
                  attackComplexity: "Low",
                  attackVector: "Local",
                  author: "OTHER",
                  availabilityImpact: "High",
                  baseScore: 7.8,
                  baseSeverity: "High",
                  confidentialityImpact: "High",
                  exploitabilityScore: null,
                  id: "JVNDB-2021-002380",
                  impactScore: null,
                  integrityImpact: "High",
                  privilegesRequired: "None",
                  scope: "Unchanged",
                  trust: 0.8,
                  userInteraction: "Required",
                  vectorString: "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  version: "3.0",
               },
            ],
            severity: [
               {
                  author: "nvd@nist.gov",
                  id: "CVE-2021-38402",
                  trust: 1,
                  value: "HIGH",
               },
               {
                  author: "ics-cert@hq.dhs.gov",
                  id: "CVE-2021-38402",
                  trust: 1,
                  value: "HIGH",
               },
               {
                  author: "OTHER",
                  id: "JVNDB-2021-002380",
                  trust: 0.8,
                  value: "High",
               },
               {
                  author: "CNVD",
                  id: "CNVD-2021-70156",
                  trust: 0.6,
                  value: "HIGH",
               },
               {
                  author: "CNNVD",
                  id: "CNNVD-202104-975",
                  trust: 0.6,
                  value: "MEDIUM",
               },
               {
                  author: "CNNVD",
                  id: "CNNVD-202109-529",
                  trust: 0.6,
                  value: "HIGH",
               },
               {
                  author: "VULMON",
                  id: "CVE-2021-38402",
                  trust: 0.1,
                  value: "MEDIUM",
               },
            ],
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2021-70156",
         },
         {
            db: "VULMON",
            id: "CVE-2021-38402",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2021-002380",
         },
         {
            db: "CNNVD",
            id: "CNNVD-202104-975",
         },
         {
            db: "CNNVD",
            id: "CNNVD-202109-529",
         },
         {
            db: "NVD",
            id: "CVE-2021-38402",
         },
         {
            db: "NVD",
            id: "CVE-2021-38402",
         },
      ],
   },
   description: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/description#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could lead to a stack-based buffer overflow while trying to copy to a buffer during font string handling. An attacker could leverage this vulnerability to execute code in the context of the current process. Delta Electronics Provided by the company DOPSoft 2 The following multiple vulnerabilities exist in. * Stack-based buffer overflow ( CWE-121 ) - CVE-2021-38402 ‥ * Out-of-bounds writing ( CWE-787 ) - CVE-2021-38406 ‥ * Heap-based buffer overflow ( CWE-122 ) - CVE-2021-38404When loading a specially crafted project file, malicious code is executed with the privileges of the process in which the product runs. Delta Electronics DOPSoft is a set of Human-Machine Interface (HMI) software of Taiwan Delta Electronics (Delta Electronics). Pillow is a Python-based image processing library. \nThere is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements",
      sources: [
         {
            db: "NVD",
            id: "CVE-2021-38402",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2021-002380",
         },
         {
            db: "CNVD",
            id: "CNVD-2021-70156",
         },
         {
            db: "CNNVD",
            id: "CNNVD-202104-975",
         },
         {
            db: "VULMON",
            id: "CVE-2021-38402",
         },
      ],
      trust: 2.79,
   },
   external_ids: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            db: "ICS CERT",
            id: "ICSA-21-252-02",
            trust: 3.1,
         },
         {
            db: "NVD",
            id: "CVE-2021-38402",
            trust: 3.1,
         },
         {
            db: "JVN",
            id: "JVNVU95804712",
            trust: 0.8,
         },
         {
            db: "JVNDB",
            id: "JVNDB-2021-002380",
            trust: 0.8,
         },
         {
            db: "CNVD",
            id: "CNVD-2021-70156",
            trust: 0.6,
         },
         {
            db: "CS-HELP",
            id: "SB2021041363",
            trust: 0.6,
         },
         {
            db: "CNNVD",
            id: "CNNVD-202104-975",
            trust: 0.6,
         },
         {
            db: "CS-HELP",
            id: "SB2021091004",
            trust: 0.6,
         },
         {
            db: "AUSCERT",
            id: "ESB-2021.3042",
            trust: 0.6,
         },
         {
            db: "CNNVD",
            id: "CNNVD-202109-529",
            trust: 0.6,
         },
         {
            db: "VULMON",
            id: "CVE-2021-38402",
            trust: 0.1,
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2021-70156",
         },
         {
            db: "VULMON",
            id: "CVE-2021-38402",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2021-002380",
         },
         {
            db: "CNNVD",
            id: "CNNVD-202104-975",
         },
         {
            db: "CNNVD",
            id: "CNNVD-202109-529",
         },
         {
            db: "NVD",
            id: "CVE-2021-38402",
         },
      ],
   },
   id: "VAR-202109-1253",
   iot: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/iot#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: true,
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2021-70156",
         },
      ],
      trust: 1.5642857000000001,
   },
   iot_taxonomy: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            category: [
               "ICS",
            ],
            sub_category: null,
            trust: 0.6,
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2021-70156",
         },
      ],
   },
   last_update_date: "2024-08-14T12:35:33.980000Z",
   patch: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/patch#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            title: "Contact Us",
            trust: 0.8,
            url: "https://www.deltaww.com/en/customerService",
         },
         {
            title: "CVE-2021-38402",
            trust: 0.1,
            url: "https://github.com/AIPOCAI/CVE-2021-38402 ",
         },
      ],
      sources: [
         {
            db: "VULMON",
            id: "CVE-2021-38402",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2021-002380",
         },
      ],
   },
   problemtype_data: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            problemtype: "CWE-121",
            trust: 1,
         },
         {
            problemtype: "Stack-based buffer overflow (CWE-121) [ Other ]",
            trust: 0.8,
         },
         {
            problemtype: " Heap-based buffer overflow (CWE-122) [ Other ]",
            trust: 0.8,
         },
         {
            problemtype: " Out-of-bounds writing (CWE-787) [ Other ]",
            trust: 0.8,
         },
      ],
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2021-002380",
         },
         {
            db: "NVD",
            id: "CVE-2021-38402",
         },
      ],
   },
   references: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/references#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            trust: 3.7,
            url: "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02",
         },
         {
            trust: 0.8,
            url: "https://jvn.jp/vu/jvnvu95804712/",
         },
         {
            trust: 0.6,
            url: "https://www.cybersecurity-help.cz/vdb/sb2021041363",
         },
         {
            trust: 0.6,
            url: "https://nvd.nist.gov/vuln/detail/cve-2021-38402",
         },
         {
            trust: 0.6,
            url: "https://www.auscert.org.au/bulletins/esb-2021.3042",
         },
         {
            trust: 0.6,
            url: "https://www.cybersecurity-help.cz/vdb/sb2021091004",
         },
         {
            trust: 0.1,
            url: "https://cwe.mitre.org/data/definitions/121.html",
         },
         {
            trust: 0.1,
            url: "https://github.com/aipocai/cve-2021-38402",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov",
         },
         {
            trust: 0.1,
            url: "https://www.cisa.gov/uscert/ics/advisories/icsa-21-252-02",
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2021-70156",
         },
         {
            db: "VULMON",
            id: "CVE-2021-38402",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2021-002380",
         },
         {
            db: "CNNVD",
            id: "CNNVD-202104-975",
         },
         {
            db: "CNNVD",
            id: "CNNVD-202109-529",
         },
         {
            db: "NVD",
            id: "CVE-2021-38402",
         },
      ],
   },
   sources: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            db: "CNVD",
            id: "CNVD-2021-70156",
         },
         {
            db: "VULMON",
            id: "CVE-2021-38402",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2021-002380",
         },
         {
            db: "CNNVD",
            id: "CNNVD-202104-975",
         },
         {
            db: "CNNVD",
            id: "CNNVD-202109-529",
         },
         {
            db: "NVD",
            id: "CVE-2021-38402",
         },
      ],
   },
   sources_release_date: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            date: "2021-09-12T00:00:00",
            db: "CNVD",
            id: "CNVD-2021-70156",
         },
         {
            date: "2021-09-17T00:00:00",
            db: "VULMON",
            id: "CVE-2021-38402",
         },
         {
            date: "2021-09-13T00:00:00",
            db: "JVNDB",
            id: "JVNDB-2021-002380",
         },
         {
            date: "2021-04-13T00:00:00",
            db: "CNNVD",
            id: "CNNVD-202104-975",
         },
         {
            date: "2021-09-09T00:00:00",
            db: "CNNVD",
            id: "CNNVD-202109-529",
         },
         {
            date: "2021-09-17T19:15:08.570000",
            db: "NVD",
            id: "CVE-2021-38402",
         },
      ],
   },
   sources_update_date: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            date: "2022-01-18T00:00:00",
            db: "CNVD",
            id: "CNVD-2021-70156",
         },
         {
            date: "2021-10-04T00:00:00",
            db: "VULMON",
            id: "CVE-2021-38402",
         },
         {
            date: "2021-09-13T06:46:00",
            db: "JVNDB",
            id: "JVNDB-2021-002380",
         },
         {
            date: "2021-04-14T00:00:00",
            db: "CNNVD",
            id: "CNNVD-202104-975",
         },
         {
            date: "2021-10-08T00:00:00",
            db: "CNNVD",
            id: "CNNVD-202109-529",
         },
         {
            date: "2021-10-04T18:11:55.577000",
            db: "NVD",
            id: "CVE-2021-38402",
         },
      ],
   },
   threat_type: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "local",
      sources: [
         {
            db: "CNNVD",
            id: "CNNVD-202109-529",
         },
      ],
      trust: 0.6,
   },
   title: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/title#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "Delta Electronics  Made  DOPSoft 2  Multiple vulnerabilities in",
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2021-002380",
         },
      ],
      trust: 0.8,
   },
   type: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/type#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "other",
      sources: [
         {
            db: "CNNVD",
            id: "CNNVD-202104-975",
         },
         {
            db: "CNNVD",
            id: "CNNVD-202109-529",
         },
      ],
      trust: 1.2,
   },
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2021-38402

Vulnerability from cvelistv5

fkie_cve-2021-38402

Vulnerability from fkie_nvd

ICSA-21-252-02

Vulnerability from csaf_cisa

icsa-21-252-02

Vulnerability from csaf_cisa

gsd-2021-38402

Vulnerability from gsd

ghsa-pmhq-p9q2-mpcv

Vulnerability from github

var-202109-1253

Vulnerability from variot

Tags

Sightings

Nomenclature