CVE-2021-23279
published 2021-04-13CVE-2021-23279: Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated arbitrary file delete vulnerability induced due to improper input…
PriorityP274critical10CVSS 3.1
AVNACLPRNUINSCCNIHAH
EPSS
27.09%
97.8th percentile
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated arbitrary file delete vulnerability induced due to improper input validation in meta_driver_srv.js class with saveDriverData action using invalidated driverID. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eaton | intelligent_power_manager | < 1.69 | 1.69 |
| eaton | intelligent_power_manager | >= unspecified < 1.69 | 1.69 |
| eaton | intelligent_power_manager_virtual_appliance | < 1.69 | 1.69 |
| eaton | intelligent_power_protector | < 1.68 | 1.68 |
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h7cg-8375-67fx: Eaton Intelligent Power Manager (IPM) prior to 1
ghsa_unreviewed·2022-05-24
CVE-2021-23279 [CRITICAL] CWE-20 GHSA-h7cg-8375-67fx: Eaton Intelligent Power Manager (IPM) prior to 1
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated arbitrary file delete vulnerability induced due to improper input validation in meta_driver_srv.js class with saveDriverData action using invalidated driverID. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed.
CISA ICS
Eaton Intelligent Power Manager
cisa_ics·2021-04-20·CVSS 7.1
[HIGH] Eaton Intelligent Power Manager
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Eaton Intelligent Power Manager
Last RevisedApril 20, 2021
Alert CodeICSA-21-110-06
## 1. EXECUTIVE SUMMARY
- CVSS v3 8.7
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Eaton
- Equipment: Intelligent Power Manager (IPM)
- Vulnerabilities: SQL Injection, Eval Injection, Improper Input Validation, Unrestricted Upload of File with Dangerous Type, Code Injection
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow attackers to change certain settings, upload code, delete files, or execute commands.
## 3. TECHNICAL DETAILS
## 3
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdfhttps://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf
2021-04-13
Published