CVE-2021-42021 - OpenCVE

A vulnerability has been identified in Siveillance Video DLNA Server (2019 R1), Siveillance Video DLNA Server (2019 R2), Siveillance Video DLNA Server (2019 R3), Siveillance Video DLNA Server (2020 R1), Siveillance Video DLNA Server (2020 R2), Siveillance Video DLNA Server (2020 R3), Siveillance Video DLNA Server (2021 R1). The affected application contains a path traversal vulnerability that could allow to read arbitrary files on the server that are outside the application’s web document directory. An unauthenticated remote attacker could exploit this issue to access sensitive information for subsequent attacks.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Siemens	Siveillance Video Management Software 2019 R1 Siveillance Video Management Software 2020 R1 Siveillance Video Management Software 2020 R2 Siveillance Video Management Software 2019 R3 Siveillance Video Management Software 2019 R2 Siveillance Video Dlna Server

Configuration 1 [-]

AND

OR	cpe:2.3:a:siemens:siveillance_video_management_software_2019_r1::::::::
	cpe:2.3:a:siemens:siveillance_video_management_software_2019_r2::::::::
	cpe:2.3:a:siemens:siveillance_video_management_software_2019_r3::::::::
	cpe:2.3:a:siemens:siveillance_video_management_software_2020_r1:-:::::::*
	cpe:2.3:a:siemens:siveillance_video_management_software_2020_r2:-:::::::*

cpe:2.3:h:siemens:siveillance_video_dlna_server:-:*:*:*:*:*:*:*

References

Link	Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-755517.pdf	Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: siemens

Published: 2021-11-09T11:32:15

Updated: 2021-11-09T11:32:15

Reserved: 2021-10-06T00:00:00

Link: CVE-2021-42021

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-11-09T12:15:10.523

Modified: 2022-07-25T10:56:46.123

Link: CVE-2021-42021

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Siveillance Video DLNA Server", "vendor": "Siemens", "versions": [{"status": "affected", "version": "2019 R1"}]}, {"product": "Siveillance Video DLNA Server", "vendor": "Siemens", "versions": [{"status": "affected", "version": "2019 R2"}]}, {"product": "Siveillance Video DLNA Server", "vendor": "Siemens", "versions": [{"status": "affected", "version": "2019 R3"}]}, {"product": "Siveillance Video DLNA Server", "vendor": "Siemens", "versions": [{"status": "affected", "version": "2020 R1"}]}, {"product": "Siveillance Video DLNA Server", "vendor": "Siemens", "versions": [{"status": "affected", "version": "2020 R2"}]}, {"product": "Siveillance Video DLNA Server", "vendor": "Siemens", "versions": [{"status": "affected", "version": "2020 R3"}]}, {"product": "Siveillance Video DLNA Server", "vendor": "Siemens", "versions": [{"status": "affected", "version": "2021 R1"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Siveillance Video DLNA Server (2019 R1), Siveillance Video DLNA Server (2019 R2), Siveillance Video DLNA Server (2019 R3), Siveillance Video DLNA Server (2020 R1), Siveillance Video DLNA Server (2020 R2), Siveillance Video DLNA Server (2020 R3), Siveillance Video DLNA Server (2021 R1). The affected application contains a path traversal vulnerability that could allow to read arbitrary files on the server that are outside the application\u2019s web document directory. An unauthenticated remote attacker could exploit this issue to access sensitive information for subsequent attacks."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-26", "description": "CWE-26: Path Traversal: '/dir/../filename'", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-09T11:32:15", "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-755517.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "productcert@siemens.com", "ID": "CVE-2021-42021", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Siveillance Video DLNA Server", "version": {"version_data": [{"version_value": "2019 R1"}]}}, {"product_name": "Siveillance Video DLNA Server", "version": {"version_data": [{"version_value": "2019 R2"}]}}, {"product_name": "Siveillance Video DLNA Server", "version": {"version_data": [{"version_value": "2019 R3"}]}}, {"product_name": "Siveillance Video DLNA Server", "version": {"version_data": [{"version_value": "2020 R1"}]}}, {"product_name": "Siveillance Video DLNA Server", "version": {"version_data": [{"version_value": "2020 R2"}]}}, {"product_name": "Siveillance Video DLNA Server", "version": {"version_data": [{"version_value": "2020 R3"}]}}, {"product_name": "Siveillance Video DLNA Server", "version": {"version_data": [{"version_value": "2021 R1"}]}}]}, "vendor_name": "Siemens"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability has been identified in Siveillance Video DLNA Server (2019 R1), Siveillance Video DLNA Server (2019 R2), Siveillance Video DLNA Server (2019 R3), Siveillance Video DLNA Server (2020 R1), Siveillance Video DLNA Server (2020 R2), Siveillance Video DLNA Server (2020 R3), Siveillance Video DLNA Server (2021 R1). The affected application contains a path traversal vulnerability that could allow to read arbitrary files on the server that are outside the application\u2019s web document directory. An unauthenticated remote attacker could exploit this issue to access sensitive information for subsequent attacks."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-26: Path Traversal: '/dir/../filename'"}]}]}, "references": {"reference_data": [{"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-755517.pdf", "refsource": "MISC", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-755517.pdf"}]}}}}, "cveMetadata": {"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "assignerShortName": "siemens", "cveId": "CVE-2021-42021", "datePublished": "2021-11-09T11:32:15", "dateReserved": "2021-10-06T00:00:00", "dateUpdated": "2021-11-09T11:32:15", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:siemens:siveillance_video_management_software_2019_r1:*:*:*:*:*:*:*:*", "matchCriteriaId": "3922D1E1-35A6-46F9-83B8-9E57CD1AA47B", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:siveillance_video_management_software_2019_r2:*:*:*:*:*:*:*:*", "matchCriteriaId": "7584896C-E932-4A5E-8045-04D4262A9E2B", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:siveillance_video_management_software_2019_r3:*:*:*:*:*:*:*:*", "matchCriteriaId": "2E1D3534-ADC0-43F1-8270-F09696195754", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:siveillance_video_management_software_2020_r1:-:*:*:*:*:*:*:*", "matchCriteriaId": "DFC80AF3-17E5-4535-94FB-3B43C32BF8D8", "vulnerable": true}, {"criteria": "cpe:2.3:a:siemens:siveillance_video_management_software_2020_r2:-:*:*:*:*:*:*:*", "matchCriteriaId": "2323FB89-9DAF-4AA8-BFDB-60CA31EEE760", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:siemens:siveillance_video_dlna_server:-:*:*:*:*:*:*:*", "matchCriteriaId": "9E210B89-066A-447B-8379-F8C857F56A70", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Siveillance Video DLNA Server (2019 R1), Siveillance Video DLNA Server (2019 R2), Siveillance Video DLNA Server (2019 R3), Siveillance Video DLNA Server (2020 R1), Siveillance Video DLNA Server (2020 R2), Siveillance Video DLNA Server (2020 R3), Siveillance Video DLNA Server (2021 R1). The affected application contains a path traversal vulnerability that could allow to read arbitrary files on the server that are outside the application\u2019s web document directory. An unauthenticated remote attacker could exploit this issue to access sensitive information for subsequent attacks."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en Siveillance Video DLNA Server (2019 R1), Siveillance Video DLNA Server (2019 R2), Siveillance Video DLNA Server (2019 R3), Siveillance Video DLNA Server (2020 R1), Siveillance Video DLNA Server (2020 R2), Siveillance Video DLNA Server (2020 R3), Siveillance Video DLNA Server (2021 R1). La aplicaci\u00f3n afectada contiene una vulnerabilidad de salto de ruta que podr\u00eda permitir la lectura de archivos arbitrarios en el servidor que est\u00e1n fuera del directorio del documento web de la aplicaci\u00f3n. Un atacante remoto no autenticado podr\u00eda explotar este problema para acceder a informaci\u00f3n confidencial para posteriores ataques"}], "id": "CVE-2021-42021", "lastModified": "2022-07-25T10:56:46.123", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-11-09T12:15:10.523", "references": [{"source": "productcert@siemens.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-755517.pdf"}], "sourceIdentifier": "productcert@siemens.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-26"}], "source": "productcert@siemens.com", "type": "Secondary"}]}