CVE-2021-40354 — Privilege Defined With Unsafe Actions in Siemens Teamcenter Visualization

CWE-267 — Privilege Defined With Unsafe Actions CWE-269 — Improper Privilege Management3 documents3 sources

Severity

7.1HIGHNVD

EPSS

0.2%

top 56.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Siemens Teamcenter Visualization Siemens Teamcenter V12.4 Siemens Teamcenter V13.0 +2 more

Timeline

PublishedSep 14

Latest updateMay 24

Description

A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.8), Teamcenter V13.0 (All versions < V13.0.0.7), Teamcenter V13.1 (All versions < V13.1.0.5), Teamcenter V13.2 (All versions < 13.2.0.2). The "surrogate" functionality on the user profile of the application does not perform sufficient access control that could lead to an account takeover. Any profile on the application can perform this attack and access any other user assigned tasks via the "inbox/surrogate tasks".

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:NExploitability: 2.8 | Impact: 4.2

Affected Packages5 packages

▶NVDsiemens/teamcenter_visualization12.4.0 — 12.4.0.8+3

▶CVEListV5siemens/teamcenter_v12.4All versions < V12.4.0.8

▶CVEListV5siemens/teamcenter_v13.0All versions < V13.0.0.7

▶CVEListV5siemens/teamcenter_v13.1All versions < V13.1.0.5

▶CVEListV5siemens/teamcenter_v13.2All versions < 13.2.0.2

Patches

Patch: cert-portal.siemens.com ↗Patch: cert-portal.siemens.com ↗

🔴Vulnerability Details

GHSA

GHSA-xcq8-3527-6285: A vulnerability has been identified in Teamcenter V12↗2022-05-24

▶

CVEList

CVE-2021-40354: A vulnerability has been identified in Teamcenter V12↗2021-09-14

▶