mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-07-29 05:56:59 +00:00
116 lines
4.2 KiB
JSON
116 lines
4.2 KiB
JSON
{
|
|
"CVE_data_meta": {
|
|
"ASSIGNER": "ics-cert@hq.dhs.gov",
|
|
"DATE_PUBLIC": "2021-10-05T19:14:00.000Z",
|
|
"ID": "CVE-2021-38395",
|
|
"STATE": "PUBLIC",
|
|
"TITLE": "Honeywell Experion PKS and ACE Controllers Injection"
|
|
},
|
|
"affects": {
|
|
"vendor": {
|
|
"vendor_data": [
|
|
{
|
|
"product": {
|
|
"product_data": [
|
|
{
|
|
"product_name": "Experion PKS",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "=",
|
|
"version_value": "C200"
|
|
},
|
|
{
|
|
"version_affected": "=",
|
|
"version_value": "C200E"
|
|
},
|
|
{
|
|
"version_affected": "=",
|
|
"version_value": "C300"
|
|
},
|
|
{
|
|
"version_affected": "=",
|
|
"version_value": "ACE controllers"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"vendor_name": "Honeywell"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"credit": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "Rei Henigman and Nadav Erez of Claroty reported these vulnerabilities to CISA."
|
|
}
|
|
],
|
|
"data_format": "MITRE",
|
|
"data_type": "CVE",
|
|
"data_version": "4.0",
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to improper neutralization of special elements in output, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition."
|
|
}
|
|
]
|
|
},
|
|
"generator": {
|
|
"engine": "Vulnogram 0.0.9"
|
|
},
|
|
"impact": {
|
|
"cvss": {
|
|
"attackComplexity": "LOW",
|
|
"attackVector": "NETWORK",
|
|
"availabilityImpact": "HIGH",
|
|
"baseScore": 9.1,
|
|
"baseSeverity": "CRITICAL",
|
|
"confidentialityImpact": "NONE",
|
|
"integrityImpact": "HIGH",
|
|
"privilegesRequired": "NONE",
|
|
"scope": "UNCHANGED",
|
|
"userInteraction": "NONE",
|
|
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
|
|
"version": "3.1"
|
|
}
|
|
},
|
|
"problemtype": {
|
|
"problemtype_data": [
|
|
{
|
|
"description": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "CWE-74: Injection"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"references": {
|
|
"reference_data": [
|
|
{
|
|
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04",
|
|
"refsource": "CONFIRM",
|
|
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04"
|
|
},
|
|
{
|
|
"name": "https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf",
|
|
"refsource": "CONFIRM",
|
|
"url": "https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf"
|
|
}
|
|
]
|
|
},
|
|
"source": {
|
|
"discovery": "EXTERNAL"
|
|
},
|
|
"work_around": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "Honeywell recommends users follow all guidance in the Experion Network and Security Planning Guide to prevent attacks by malicious actors.\n\nAdditional information can be found in Honeywell Support document SN2021-02-22-01."
|
|
}
|
|
]
|
|
} |