← Back

CVE-2021-31891

nvd nist
Published: Sep 14, 2021Modified: Nov 21, 2024

JSON object

Loading...
10.0
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 6.0
Source: NVD

Description

A vulnerability has been identified in Desigo CC (All versions with OIS Extension Module), GMA-Manager (All versions with OIS running on Debian 9 or earlier), Operation Scheduler (All versions with OIS running on Debian 9 or earlier), Siveillance Control (All versions with OIS running on Debian 9 or earlier), Siveillance Control Pro (All versions). The affected application incorrectly neutralizes special elements in a specific HTTP GET request which could lead to command injection. An unauthenticated remote attacker could exploit this vulnerability to execute arbitrary code on the system with root privileges.

Affected (5)

Siemens
5 products
Desigo Cc
Siveillance Control Pro
Gma Manager
Operation Scheduler
Siveillance Control
Configuration A
2 vulnerable
Vulnerable SoftwareAffected Versions
Desigo Cc
All versions
Siveillance Control Pro
All versions
Configuration B
3 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Gma Manager
All versions
Operation Scheduler
All versions
Siveillance Control
All versions
Running on/withPlatform Versions
Debian
Debian Linux
Up to 9.0

Related CWEs

CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (2)

Source: productcert@siemens.com
PatchVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchVendor Advisory

Timeline

No history available yet.