CVE-2021-22859

The users’ data querying function of EIC e-document system does not filter the special characters which resulted in remote attackers can inject SQL syntax and execute arbitrary commands without privilege.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://gist.github.com/tonykuo76/807c838b75879b0d327782dfcd2c3bea	Third Party Advisory
https://www.chtsecurity.com/news/c974fd28-c19b-4003-82f3-818904057496	Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-4517-51e25-1.html	Third Party Advisory
https://gist.github.com/tonykuo76/807c838b75879b0d327782dfcd2c3bea	Third Party Advisory
https://www.chtsecurity.com/news/c974fd28-c19b-4003-82f3-818904057496	Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-4517-51e25-1.html	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:eic:e-document_system:3.0.2:*:*:*:*:*:*:*

History

21 Nov 2024, 05:50

Type	Values Removed	Values Added
References	~~() https://gist.github.com/tonykuo76/807c838b75879b0d327782dfcd2c3bea - Third Party Advisory~~	() https://gist.github.com/tonykuo76/807c838b75879b0d327782dfcd2c3bea - Third Party Advisory
References	~~() https://www.chtsecurity.com/news/c974fd28-c19b-4003-82f3-818904057496 - Third Party Advisory~~	() https://www.chtsecurity.com/news/c974fd28-c19b-4003-82f3-818904057496 - Third Party Advisory
References	~~() https://www.twcert.org.tw/tw/cp-132-4517-51e25-1.html - Third Party Advisory~~	() https://www.twcert.org.tw/tw/cp-132-4517-51e25-1.html - Third Party Advisory

Information

Published : 2021-03-17 09:15

Updated : 2024-11-21 05:50

NVD link : CVE-2021-22859

Mitre link : CVE-2021-22859

CVE.ORG link : CVE-2021-22859

JSON object : View

Products Affected

eic

e-document_system

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2021-22859", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "twcert@cert.org.tw", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2021-03-17T09:15:12.093", "references": [{"url": "https://gist.github.com/tonykuo76/807c838b75879b0d327782dfcd2c3bea", "tags": ["Third Party Advisory"], "source": "twcert@cert.org.tw"}, {"url": "https://www.chtsecurity.com/news/c974fd28-c19b-4003-82f3-818904057496", "tags": ["Third Party Advisory"], "source": "twcert@cert.org.tw"}, {"url": "https://www.twcert.org.tw/tw/cp-132-4517-51e25-1.html", "tags": ["Third Party Advisory"], "source": "twcert@cert.org.tw"}, {"url": "https://gist.github.com/tonykuo76/807c838b75879b0d327782dfcd2c3bea", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.chtsecurity.com/news/c974fd28-c19b-4003-82f3-818904057496", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.twcert.org.tw/tw/cp-132-4517-51e25-1.html", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "twcert@cert.org.tw", "description": [{"lang": "en", "value": "CWE-89"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "The users\u2019 data querying function of EIC e-document system does not filter the special characters which resulted in remote attackers can inject SQL syntax and execute arbitrary commands without privilege."}, {"lang": "es", "value": "La funci\u00f3n users\u2019 data querying del sistema de e-document de EIC, no filtra los caracteres especiales que dieron como resultado que los atacantes remotos puedan inyectar sintaxis SQL y ejecutar comandos arbitrarios sin privilegios"}], "lastModified": "2024-11-21T05:50:46.873", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:eic:e-document_system:3.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "36D6184C-8C14-4FC0-8995-8E23CA91A53A"}], "operator": "OR"}]}], "sourceIdentifier": "twcert@cert.org.tw"}