CVE-2021-40336

A vulnerability exists in the http web interface where the web interface does not validate data in an HTTP header. This causes a possible HTTP response splitting, which if exploited could lead an attacker to channel down harmful code into the user’s web browser, such as to steal the session cookies. Thus, an attacker who successfully makes an MSM user who has already established a session to MSM web interface clicks a forged link to the MSM web interface, e.g., the link is sent per E-Mail, could trick the user into downloading malicious software onto his computer. This issue affects: Hitachi Energy MSM V2.2 and prior versions.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://search.abb.com/library/Download.aspx?DocumentID=8DBD000085&LanguageCode=en&DocumentPartId=&Action=Launch	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:hitachienergy:modular_switchgear_monitoring_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:hitachienergy:modular_switchgear_monitoring:-:*:*:*:*:*:*:*

History

26 Jun 2023, 17:49

Type	Values Removed	Values Added
CWE	~~CWE-352~~	CWE-74

Information

Published : 2022-07-25 15:15

Updated : 2024-02-28 19:29

NVD link : CVE-2021-40336

Mitre link : CVE-2021-40336

CVE.ORG link : CVE-2021-40336

JSON object : View

Products Affected

hitachienergy

modular_switchgear_monitoring
modular_switchgear_monitoring_firmware

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

{"id": "CVE-2021-40336", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "cybersecurity@hitachienergy.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.6}]}, "published": "2022-07-25T15:15:09.247", "references": [{"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000085&LanguageCode=en&DocumentPartId=&Action=Launch", "tags": ["Vendor Advisory"], "source": "cybersecurity@hitachienergy.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-74"}]}, {"type": "Secondary", "source": "cybersecurity@hitachienergy.com", "description": [{"lang": "en", "value": "CWE-113"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability exists in the http web interface where the web interface does not validate data in an HTTP header. This causes a possible HTTP response splitting, which if exploited could lead an attacker to channel down harmful code into the user\u2019s web browser, such as to steal the session cookies. Thus, an attacker who successfully makes an MSM user who has already established a session to MSM web interface clicks a forged link to the MSM web interface, e.g., the link is sent per E-Mail, could trick the user into downloading malicious software onto his computer. This issue affects: Hitachi Energy MSM V2.2 and prior versions."}, {"lang": "es", "value": "Se presenta una vulnerabilidad en la interfaz web http en la que \u00e9sta no comprueba los datos de un encabezado HTTP. Esto causa una posible divisi\u00f3n de la respuesta HTTP, que si es explotada podr\u00eda conllevar a un atacante a canalizar c\u00f3digo da\u00f1ino en el navegador web del usuario, como por ejemplo robar las cookies de sesi\u00f3n. As\u00ed, un atacante que consiga que un usuario de MSM que ya ha establecido una sesi\u00f3n en la interfaz web de MSM haga clic en un enlace falsificado a la interfaz web de MSM, por ejemplo, el enlace es enviado por correo electr\u00f3nico, podr\u00eda enga\u00f1ar al usuario para que descargue software malicioso en su ordenador. Este problema afecta a: Hitachi Energy MSM versiones V2.2 y versiones anteriores"}], "lastModified": "2023-06-26T17:49:15.913", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:hitachienergy:modular_switchgear_monitoring_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "105E197F-5BCD-445C-B20B-294619685EC5", "versionEndIncluding": "2.2.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:hitachienergy:modular_switchgear_monitoring:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "6CBD92D1-045F-44D8-99B1-12C28B0271F9"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cybersecurity@hitachienergy.com"}