CVE-2021-41543

A vulnerability has been identified in Climatix POL909 (AWB module) (All versions < V11.44), Climatix POL909 (AWM module) (All versions < V11.36). The handling of log files in the web application of affected devices contains an information disclosure vulnerability which could allow logged in users to access sensitive files.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-252466.pdf	Patch Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-252466.pdf	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:o:siemens:climatix_pol909_firmware:::::advanced_web_module:::*
	cpe:2.3:o:siemens:climatix_pol909_firmware:::::advanced_web_and_bacnet_module:::*

cpe:2.3:h:siemens:climatix_pol909:-:*:*:*:*:*:*:*

History

21 Nov 2024, 06:26

Type	Values Removed	Values Added
References	~~() https://cert-portal.siemens.com/productcert/pdf/ssa-252466.pdf - Patch, Vendor Advisory~~	() https://cert-portal.siemens.com/productcert/pdf/ssa-252466.pdf - Patch, Vendor Advisory

Information

Published : 2022-03-08 12:15

Updated : 2024-11-21 06:26

NVD link : CVE-2021-41543

Mitre link : CVE-2021-41543

CVE.ORG link : CVE-2021-41543

JSON object : View

Products Affected

siemens

climatix_pol909_firmware
climatix_pol909

CWE

CWE-284

Improper Access Control

CWE-532

Insertion of Sensitive Information into Log File

{"id": "CVE-2021-41543", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2022-03-08T12:15:10.763", "references": [{"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-252466.pdf", "tags": ["Patch", "Vendor Advisory"], "source": "productcert@siemens.com"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-252466.pdf", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "productcert@siemens.com", "description": [{"lang": "en", "value": "CWE-284"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Climatix POL909 (AWB module) (All versions < V11.44), Climatix POL909 (AWM module) (All versions < V11.36). The handling of log files in the web application of affected devices contains an information disclosure vulnerability which could allow logged in users to access sensitive files."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en Climatix POL909 (m\u00f3dulo AWB) (Todas las versiones anteriores a V11.44), Climatix POL909 (m\u00f3dulo AWM) (Todas las versiones anteriores a V11.36). El manejo de los archivos de registro en la aplicaci\u00f3n web de los dispositivos afectados contiene una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n que podr\u00eda permitir a usuarios registrados acceder a archivos confidenciales"}], "lastModified": "2024-11-21T06:26:23.123", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:siemens:climatix_pol909_firmware:*:*:*:*:advanced_web_module:*:*:*", "vulnerable": true, "matchCriteriaId": "8726D1E7-A120-4A48-958D-1767465AB1BA", "versionEndExcluding": "11.36"}, {"criteria": "cpe:2.3:o:siemens:climatix_pol909_firmware:*:*:*:*:advanced_web_and_bacnet_module:*:*:*", "vulnerable": true, "matchCriteriaId": "820A1DB6-C7BC-45BB-B843-1B6F1D803BDA", "versionEndExcluding": "11.44"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:siemens:climatix_pol909:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "256380A1-0197-4FED-AF9B-E05D59C7D1F1"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "productcert@siemens.com"}