CVE-2021-23233

Sensitive endpoints in Fresenius Kabi Agilia Link+ v3.0 and prior can be accessed without any authentication information such as the session cookie. An attacker can send requests to sensitive endpoints as an unauthenticated user to perform critical actions or modify critical configuration parameters.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://www.cisa.gov/uscert/ics/advisories/icsma-21-355-01	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:fresenius-kabi:agilia_partner_maintenance_software::::::::
	cpe:2.3:a:fresenius-kabi:vigilant_centerium:1.0:::::::*
	cpe:2.3:a:fresenius-kabi:vigilant_insight:1.0:::::::*
	cpe:2.3:a:fresenius-kabi:vigilant_mastermed:1.0:::::::*

Configuration 2 (hide)

AND

cpe:2.3:o:fresenius-kabi:agilia_connect_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:fresenius-kabi:agilia_connect:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

OR	cpe:2.3:o:fresenius-kabi:link\+_agilia_firmware::::::::
	cpe:2.3:o:fresenius-kabi:link\+_agilia_firmware:3.0:-::::::
	cpe:2.3:o:fresenius-kabi:link\+_agilia_firmware:3.0:d15::::::

cpe:2.3:h:fresenius-kabi:link\+_agilia:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2022-01-21 19:15

Updated : 2024-02-28 18:48

NVD link : CVE-2021-23233

Mitre link : CVE-2021-23233

CVE.ORG link : CVE-2021-23233

JSON object : View

Products Affected

fresenius-kabi

agilia_connect_firmware
vigilant_mastermed
vigilant_insight
vigilant_centerium
link\+_agilia_firmware
agilia_connect
link\+_agilia
agilia_partner_maintenance_software

CWE

CWE-798

Use of Hard-coded Credentials

CWE-284

Improper Access Control

{"id": "CVE-2021-23233", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 3.9}]}, "published": "2022-01-21T19:15:08.123", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-21-355-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-798"}]}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "Sensitive endpoints in Fresenius Kabi Agilia Link+ v3.0 and prior can be accessed without any authentication information such as the session cookie. An attacker can send requests to sensitive endpoints as an unauthenticated user to perform critical actions or modify critical configuration parameters."}, {"lang": "es", "value": "Puede accederse a los endpoints confidenciales de Fresenius Kabi Agilia Link+ versiones v3.0 y anteriores sin ninguna informaci\u00f3n de autenticaci\u00f3n, como la cookie de sesi\u00f3n. Un atacante puede enviar peticiones a los endpoints confidenciales como un usuario no autenticado para llevar a cabo acciones cr\u00edticas o modificar par\u00e1metros de configuraci\u00f3n cr\u00edticos"}], "lastModified": "2022-01-28T15:48:22.147", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fresenius-kabi:agilia_partner_maintenance_software:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3B072164-6AA2-4A14-B7D7-10B4B953004D", "versionEndIncluding": "3.3.0"}, {"criteria": "cpe:2.3:a:fresenius-kabi:vigilant_centerium:1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C47210A7-4753-4ED7-8E6B-9BE8EBFABC9F"}, {"criteria": "cpe:2.3:a:fresenius-kabi:vigilant_insight:1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9C91B931-F726-4AB2-B3A6-D92F774CF04D"}, {"criteria": "cpe:2.3:a:fresenius-kabi:vigilant_mastermed:1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "04AC7167-F5C8-46A2-B937-953E13D76A32"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fresenius-kabi:agilia_connect_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8B4979F9-A7D5-4B5C-8FF2-C3C67773EE03", "versionEndIncluding": "d25"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:fresenius-kabi:agilia_connect:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "D1BBB63E-7E43-4BC1-A08F-4F1F811F839B"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fresenius-kabi:link\\+_agilia_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "45FA28DE-939F-4146-A6E2-CE8849C9CB16", "versionEndExcluding": "3.0"}, {"criteria": "cpe:2.3:o:fresenius-kabi:link\\+_agilia_firmware:3.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7D5FC3D0-9593-487B-B70A-F8BBCA8A18FF"}, {"criteria": "cpe:2.3:o:fresenius-kabi:link\\+_agilia_firmware:3.0:d15:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "67E88F2E-C12B-4B50-B087-3247F4748AF3"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:fresenius-kabi:link\\+_agilia:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "1548AA3F-659F-43C3-9261-C7FD55465877"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}