CVE-2021-38422 - OpenCVE

Delta Electronics DIALink versions 1.2.4.0 and prior stores sensitive information in cleartext, which may allow an attacker to have extensive access to the application directory and escalate privileges.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Deltaww	Dialink

Configuration 1 [-]

cpe:2.3:a:deltaww:dialink:*:*:*:*:*:*:*:*

References

Link	Resource
https://us-cert.cisa.gov/ics/advisories/icsa-21-294-02	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2021-10-21T00:00:00

Updated: 2021-11-03T19:05:10

Reserved: 2021-08-10T00:00:00

Link: CVE-2021-38422

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-11-03T20:15:08.773

Modified: 2021-11-05T15:09:39.340

Link: CVE-2021-38422

JSON object: View

Redhat Information

No data.

CWE

CWE-312

{"containers": {"cna": {"affected": [{"product": "DIALink", "vendor": "Delta Electronics", "versions": [{"lessThanOrEqual": "1.2.4.0", "status": "affected", "version": "All", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Michael Heinzl reported these vulnerabilities to CISA."}], "datePublic": "2021-10-21T00:00:00", "descriptions": [{"lang": "en", "value": "Delta Electronics DIALink versions 1.2.4.0 and prior stores sensitive information in cleartext, which may allow an attacker to have extensive access to the application directory and escalate privileges."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-312", "description": "CWE-312 Cleartext Storage of Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-03T19:05:10", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-294-02"}], "source": {"advisory": "ICSA-21-294-02", "discovery": "UNKNOWN"}, "title": "Delta Electronics DIALink", "workarounds": [{"lang": "en", "value": "Delta Electronics is aware of the vulnerabilities and is currently working on an update. "}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2021-10-21T18:29:00.000Z", "ID": "CVE-2021-38422", "STATE": "PUBLIC", "TITLE": "Delta Electronics DIALink"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "DIALink", "version": {"version_data": [{"version_affected": "<=", "version_name": "All", "version_value": "1.2.4.0"}]}}]}, "vendor_name": "Delta Electronics"}]}}, "credit": [{"lang": "eng", "value": "Michael Heinzl reported these vulnerabilities to CISA."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Delta Electronics DIALink versions 1.2.4.0 and prior stores sensitive information in cleartext, which may allow an attacker to have extensive access to the application directory and escalate privileges."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-312 Cleartext Storage of Sensitive Information"}]}]}, "references": {"reference_data": [{"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-294-02", "refsource": "MISC", "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-294-02"}]}, "source": {"advisory": "ICSA-21-294-02", "discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "Delta Electronics is aware of the vulnerabilities and is currently working on an update. "}]}}}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2021-38422", "datePublished": "2021-10-21T00:00:00", "dateReserved": "2021-08-10T00:00:00", "dateUpdated": "2021-11-03T19:05:10", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:deltaww:dialink:*:*:*:*:*:*:*:*", "matchCriteriaId": "A2B37F1B-6DB2-4F02-A633-27D40E524D24", "versionEndIncluding": "1.2.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Delta Electronics DIALink versions 1.2.4.0 and prior stores sensitive information in cleartext, which may allow an attacker to have extensive access to the application directory and escalate privileges."}, {"lang": "es", "value": "Delta Electronics DIALink versiones 1.2.4.0 y anteriores, almacena informaci\u00f3n confidencial en texto sin cifrar, que puede permitir a un atacante tener un amplio acceso al directorio de la aplicaci\u00f3n y escalar privilegios"}], "id": "CVE-2021-38422", "lastModified": "2021-11-05T15:09:39.340", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2021-11-03T20:15:08.773", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-294-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-312"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}