CVE-2021-23276

Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated SQL injection. A malicious user can send a specially crafted packet to exploit the vulnerability. Successful exploitation of this vulnerability can allow attackers to add users in the data base.

CVSS v3 7.1 HIGH
CVSS v2.0 6.5 MEDIUM

7.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf	Vendor Advisory
https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:eaton:intelligent_power_manager::::::::
	cpe:2.3:a:eaton:intelligent_power_manager_virtual_appliance::::::::
	cpe:2.3:a:eaton:intelligent_power_protector::::::::

History

21 Nov 2024, 05:51

Type	Values Removed	Values Added
References	~~() https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf - Vendor Advisory~~	() https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf - Vendor Advisory
CVSS	v2 : ~~6.5~~ v3 : ~~8.8~~	v2 : 6.5 v3 : 7.1

Information

Published : 2021-04-13 19:15

Updated : 2024-11-21 05:51

NVD link : CVE-2021-23276

Mitre link : CVE-2021-23276

CVE.ORG link : CVE-2021-23276

JSON object : View

Products Affected

eaton

intelligent_power_protector
intelligent_power_manager
intelligent_power_manager_virtual_appliance

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2021-23276", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "CybersecurityCOE@eaton.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2021-04-13T19:15:14.600", "references": [{"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf", "tags": ["Vendor Advisory"], "source": "CybersecurityCOE@eaton.com"}, {"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "CybersecurityCOE@eaton.com", "description": [{"lang": "en", "value": "CWE-89"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated SQL injection. A malicious user can send a specially crafted packet to exploit the vulnerability. Successful exploitation of this vulnerability can allow attackers to add users in the data base."}, {"lang": "es", "value": "Eaton Intelligent Power Manager (IPM) versiones anteriores a 1.69, es vulnerable a una inyecci\u00f3n de SQL autenticado. Un usuario malicioso puede enviar un paquete especialmente dise\u00f1ado para explotar la vulnerabilidad. Una explotaci\u00f3n con \u00e9xito de esta vulnerabilidad puede permitir a atacantes agregar usuarios a la base de datos"}], "lastModified": "2024-11-21T05:51:29.067", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:eaton:intelligent_power_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5E2C63CA-B479-49C4-8C98-F5AE9BF06A2F", "versionEndExcluding": "1.69"}, {"criteria": "cpe:2.3:a:eaton:intelligent_power_manager_virtual_appliance:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "10CFCD42-A9D6-468B-9287-03B4341B129A", "versionEndExcluding": "1.69"}, {"criteria": "cpe:2.3:a:eaton:intelligent_power_protector:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4A67B7A8-E508-4854-9437-BF702692948C", "versionEndExcluding": "1.68"}], "operator": "OR"}]}], "sourceIdentifier": "CybersecurityCOE@eaton.com"}