CVE-2021-31891

CWE-78 — OS Command Injection3 documents3 sources

Severity

10.0CRITICAL

EPSS

4.6%

top 10.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Siemens Desigo CC Siemens Gma-manager Siemens Operation Scheduler +2 more

Timeline

PublishedSep 14

Latest updateMay 24

Description

A vulnerability has been identified in Desigo CC (All versions with OIS Extension Module), GMA-Manager (All versions with OIS running on Debian 9 or earlier), Operation Scheduler (All versions with OIS running on Debian 9 or earlier), Siveillance Control (All versions with OIS running on Debian 9 or earlier), Siveillance Control Pro (All versions). The affected application incorrectly neutralizes special elements in a specific HTTP GET request which could lead to command injection. An unauthenti…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages5 packages

▶CVEListV5siemens/siveillance_controlAll versions with OIS running on Debian 9 or earlier

▶CVEListV5siemens/siveillance_control_proAll versions

▶CVEListV5siemens/operation_schedulerAll versions with OIS running on Debian 9 or earlier

▶CVEListV5siemens/desigo_ccAll versions with OIS Extension Module

▶CVEListV5siemens/gma-managerAll versions with OIS running on Debian 9 or earlier

Patches

Patch: cert-portal.siemens.com ↗Patch: cert-portal.siemens.com ↗

🔴Vulnerability Details

GHSA

GHSA-ch26-285q-m7w2: A vulnerability has been identified in Desigo CC (All versions with OIS Extension Module), GMA-Manager (All versions with OIS running on Debian 9 or e↗2022-05-24

▶

CVEList

CVE-2021-31891: A vulnerability has been identified in Desigo CC (All versions with OIS Extension Module), GMA-Manager (All versions with OIS running on Debian 9 or e↗2021-09-14

▶