var-202110-1356
Vulnerability from variot
WebAccess/NMS (Versions prior to v3.0.3_Build6299) has an improper authentication vulnerability, which may allow unauthorized users to view resources monitored and controlled by the WebAccess/NMS, as well as IP addresses and names of all the devices managed via WebAccess/NMS. WebAccess/NMS Is Advantech Network management software provided by the company. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech WebAccess/NMS. Authentication is not required to exploit this vulnerability.The specific flaw exists within the processing of the DashBoardAction endpoint of the web server. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose information from the application
Show details on source website{
"affected_products": {
"_id": null,
"data": [
{
"_id": null,
"model": "webaccess\\/nms",
"scope": "lte",
"trust": 1.0,
"vendor": "advantech",
"version": "3.0.3"
},
{
"_id": null,
"model": "webaccess/nms",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30a2\u30c9\u30d0\u30f3\u30c6\u30c3\u30af\u682a\u5f0f\u4f1a\u793e",
"version": null
},
{
"_id": null,
"model": "webaccess/nms",
"scope": "lt",
"trust": 0.8,
"vendor": "\u30a2\u30c9\u30d0\u30f3\u30c6\u30c3\u30af\u682a\u5f0f\u4f1a\u793e",
"version": "v3.0.3_build6299 earlier s"
},
{
"_id": null,
"model": "webaccess/nms",
"scope": null,
"trust": 0.7,
"vendor": "advantech",
"version": null
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-21-876"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-002280"
},
{
"db": "NVD",
"id": "CVE-2021-32951"
}
]
},
"credits": {
"_id": null,
"data": "Selim Enes Karaduman (@Enesdex)",
"sources": [
{
"db": "ZDI",
"id": "ZDI-21-876"
}
],
"trust": 0.7
},
"cve": "CVE-2021-32951",
"cvss": {
"_id": null,
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2021-32951",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.0,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-392937",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 3.9,
"id": "CVE-2021-32951",
"impactScore": 1.4,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 2.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "OTHER",
"availabilityImpact": "None",
"baseScore": 5.3,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "JVNDB-2021-002280",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "ZDI",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 3.9,
"id": "CVE-2021-32951",
"impactScore": 1.4,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-32951",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "ics-cert@hq.dhs.gov",
"id": "CVE-2021-32951",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "OTHER",
"id": "JVNDB-2021-002280",
"trust": 0.8,
"value": "Medium"
},
{
"author": "ZDI",
"id": "CVE-2021-32951",
"trust": 0.7,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202108-1568",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-392937",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-21-876"
},
{
"db": "VULHUB",
"id": "VHN-392937"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-002280"
},
{
"db": "CNNVD",
"id": "CNNVD-202108-1568"
},
{
"db": "NVD",
"id": "CVE-2021-32951"
},
{
"db": "NVD",
"id": "CVE-2021-32951"
}
]
},
"description": {
"_id": null,
"data": "WebAccess/NMS (Versions prior to v3.0.3_Build6299) has an improper authentication vulnerability, which may allow unauthorized users to view resources monitored and controlled by the WebAccess/NMS, as well as IP addresses and names of all the devices managed via WebAccess/NMS. WebAccess/NMS Is Advantech Network management software provided by the company. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech WebAccess/NMS. Authentication is not required to exploit this vulnerability.The specific flaw exists within the processing of the DashBoardAction endpoint of the web server. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose information from the application",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-32951"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-002280"
},
{
"db": "ZDI",
"id": "ZDI-21-876"
},
{
"db": "VULHUB",
"id": "VHN-392937"
}
],
"trust": 2.34
},
"external_ids": {
"_id": null,
"data": [
{
"db": "NVD",
"id": "CVE-2021-32951",
"trust": 3.2
},
{
"db": "ICS CERT",
"id": "ICSA-21-229-02",
"trust": 2.5
},
{
"db": "ZDI",
"id": "ZDI-21-876",
"trust": 1.5
},
{
"db": "JVN",
"id": "JVNVU97362937",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2021-002280",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-11883",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2021.2801",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202108-1568",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-392937",
"trust": 0.1
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-21-876"
},
{
"db": "VULHUB",
"id": "VHN-392937"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-002280"
},
{
"db": "CNNVD",
"id": "CNNVD-202108-1568"
},
{
"db": "NVD",
"id": "CVE-2021-32951"
}
]
},
"id": "VAR-202110-1356",
"iot": {
"_id": null,
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-392937"
}
],
"trust": 0.636888
},
"last_update_date": "2024-08-14T14:03:01.876000Z",
"patch": {
"_id": null,
"data": [
{
"title": "WebAccess/NMS\u00a0installation\u00a0file",
"trust": 0.8,
"url": "https://www.advantech.com/support/details/software-utility?id=1-12F529H"
},
{
"title": "This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.03/03/21 \u2013 ZDI reported the vulnerability to ICS-CERT03/03/21 \u2013 ICS-CERT acknowledged the report07/05/21 \u2013 ZDI requested an update 07/08/21 \u2013 ZDI requested an update07/09/21 \u2013 ZDI notified ICS-CERT of the intention to publish the case as a 0-day advisory on 07/19/2108/17/21 - ICS-CERT published an advisory Mitigation:Given the nature of the vulnerability the only salient mitigation strategy is to restrict interaction with the application.",
"trust": 0.7,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-229-02--"
},
{
"title": "Advantech WebAccess/NMS Remediation measures for authorization problem vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=167573"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-21-876"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-002280"
},
{
"db": "CNNVD",
"id": "CNNVD-202108-1568"
}
]
},
"problemtype_data": {
"_id": null,
"data": [
{
"problemtype": "CWE-287",
"trust": 1.1
},
{
"problemtype": "Improper authentication (CWE-287) [ Other ]",
"trust": 0.8
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-392937"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-002280"
},
{
"db": "NVD",
"id": "CVE-2021-32951"
}
]
},
"references": {
"_id": null,
"data": [
{
"trust": 3.1,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-229-02"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu97362937/"
},
{
"trust": 0.8,
"url": "https://www.zerodayinitiative.com/advisories/zdi-21-876/"
},
{
"trust": 0.7,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-229-02--"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-32951"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.2801"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-21-876"
},
{
"db": "VULHUB",
"id": "VHN-392937"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-002280"
},
{
"db": "CNNVD",
"id": "CNNVD-202108-1568"
},
{
"db": "NVD",
"id": "CVE-2021-32951"
}
]
},
"sources": {
"_id": null,
"data": [
{
"db": "ZDI",
"id": "ZDI-21-876",
"ident": null
},
{
"db": "VULHUB",
"id": "VHN-392937",
"ident": null
},
{
"db": "JVNDB",
"id": "JVNDB-2021-002280",
"ident": null
},
{
"db": "CNNVD",
"id": "CNNVD-202108-1568",
"ident": null
},
{
"db": "NVD",
"id": "CVE-2021-32951",
"ident": null
}
]
},
"sources_release_date": {
"_id": null,
"data": [
{
"date": "2021-07-19T00:00:00",
"db": "ZDI",
"id": "ZDI-21-876",
"ident": null
},
{
"date": "2021-10-27T00:00:00",
"db": "VULHUB",
"id": "VHN-392937",
"ident": null
},
{
"date": "2021-08-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-002280",
"ident": null
},
{
"date": "2021-08-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202108-1568",
"ident": null
},
{
"date": "2021-10-27T01:15:07.333000",
"db": "NVD",
"id": "CVE-2021-32951",
"ident": null
}
]
},
"sources_update_date": {
"_id": null,
"data": [
{
"date": "2021-08-25T00:00:00",
"db": "ZDI",
"id": "ZDI-21-876",
"ident": null
},
{
"date": "2021-10-29T00:00:00",
"db": "VULHUB",
"id": "VHN-392937",
"ident": null
},
{
"date": "2021-08-19T04:50:00",
"db": "JVNDB",
"id": "JVNDB-2021-002280",
"ident": null
},
{
"date": "2021-11-02T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202108-1568",
"ident": null
},
{
"date": "2021-10-29T01:16:40.303000",
"db": "NVD",
"id": "CVE-2021-32951",
"ident": null
}
]
},
"threat_type": {
"_id": null,
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202108-1568"
}
],
"trust": 0.6
},
"title": {
"_id": null,
"data": "Advantech\u00a0 Made \u00a0WebAccess/NMS\u00a0 Authentication deficiency vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-002280"
}
],
"trust": 0.8
},
"type": {
"_id": null,
"data": "authorization issue",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202108-1568"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.