nvd-json-data-feeds/CVE-2021/CVE-2021-412xx/CVE-2021-41278.json

{
  "id": "CVE-2021-41278",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2021-11-19T00:15:08.017",
  "lastModified": "2021-11-23T01:47:31.917",
  "vulnStatus": "Analyzed",
  "descriptions": [
    {
      "lang": "en",
      "value": "Functions SDK for EdgeX is meant to provide all the plumbing necessary for developers to get started in processing/transforming/exporting data out of the EdgeX IoT platform. In affected versions broken encryption in app-functions-sdk \u201cAES\u201d transform in EdgeX Foundry releases prior to Jakarta allows attackers to decrypt messages via unspecified vectors. The app-functions-sdk exports an \u201caes\u201d transform that user scripts can optionally call to encrypt data in the processing pipeline. No decrypt function is provided. Encryption is not enabled by default, but if used, the level of protection may be less than the user may expects due to a broken implementation. Version v2.1.0 (EdgeX Foundry Jakarta release and later) of app-functions-sdk-go/v2 deprecates the \u201caes\u201d transform and provides an improved \u201caes256\u201d transform in its place. The broken implementation will remain in a deprecated state until it is removed in the next EdgeX major release to avoid breakage of existing software that depends on the broken implementation. As the broken transform is a library function that is not invoked by default, users who do not use the AES transform in their processing pipelines are unaffected. Those that are affected are urged to upgrade to the Jakarta EdgeX release and modify processing pipelines to use the new \"aes256\" transform."
    },
    {
      "lang": "es",
      "value": "El SDK de funciones para EdgeX est\u00e1 destinado a proporcionar toda la fontaner\u00eda necesaria para que los desarrolladores se inicien en el procesamiento/transformaci\u00f3n/exportaci\u00f3n de datos de la plataforma EdgeX IoT. En las versiones afectadas, un cifrado roto en la transformaci\u00f3n \"AES\" de app-functions-sdk en las versiones de EdgeX Foundry anteriores a Jakarta permite a atacantes descifrar mensajes por medio de vectores no especificados. El app-functions-sdk exporta una transformaci\u00f3n \"aes\" a la que los scripts de usuario pueden llamar opcionalmente para cifrar datos en la cadena de procesamiento. No es proporcionada ninguna funci\u00f3n de descifrado. El cifrado no est\u00e1 habilitado por defecto, pero si es usado, el nivel de protecci\u00f3n puede ser menor de lo que el usuario espera debido a una implementaci\u00f3n rota. La versi\u00f3n v2.1.0 (versi\u00f3n EdgeX Foundry Jakarta y posteriores) de app-functions-sdk-go/v2 deja de lado la transformaci\u00f3n \"aes\" y proporciona una transformaci\u00f3n \"aes256\" mejorada en su lugar. La implementaci\u00f3n rota permanecer\u00e1 en un estado obsoleto hasta que sea eliminada en la pr\u00f3xima versi\u00f3n mayor de EdgeX para evitar la ruptura del software existente que depende de la implementaci\u00f3n rota. Como la transformaci\u00f3n rota es una funci\u00f3n de biblioteca que no es invocada por defecto, los usuarios que no usan la transformaci\u00f3n AES en sus procesos no est\u00e1n afectados. Se insta a los afectados a que actualicen a la versi\u00f3n de Jakarta EdgeX y a que modifiquen las cadenas de procesamiento para usar la nueva transformaci\u00f3n \"aes256\""
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "REQUIRED",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.7,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 3.6
      }
    ],
    "cvssMetricV30": [
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.0",
          "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "HIGH",
          "privilegesRequired": "LOW",
          "userInteraction": "REQUIRED",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 4.2
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
          "accessVector": "NETWORK",
          "accessComplexity": "HIGH",
          "authentication": "NONE",
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 2.6
        },
        "baseSeverity": "LOW",
        "exploitabilityScore": 4.9,
        "impactScore": 2.9,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": true
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-327"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:edgexfoundry:app_service_configurable:*:*:*:*:*:go:*:*",
              "versionEndExcluding": "2.1.0",
              "matchCriteriaId": "FD2737A1-BEFF-435D-A67E-332A028428D0"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:edgexfoundry:application_functions_software_development_kit:*:*:*:*:*:go:*:*",
              "versionEndExcluding": "2.1.0",
              "matchCriteriaId": "61A41CE4-667B-4542-9DCE-8AE74C833E1A"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:edgexfoundry:edgex_foundry:*:*:*:*:*:*:*:*",
              "versionEndExcluding": "2.1.0",
              "matchCriteriaId": "074E346B-F4CD-4D04-B061-8F250D349CAA"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/edgexfoundry/app-functions-sdk-go/commit/8fa13c6388ce76a6b878b54490eac61aa7d81165",
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/edgexfoundry/app-functions-sdk-go/security/advisories/GHSA-6c7m-qwxj-mvhp",
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ]
    }
  ]
}