Details of VAR-202105-0684

ID

VAR-202105-0684

CVE

CVE-2021-27463

TITLE

Emerson Made Rosemount X-STREAM Multiple vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2021-001505

DESCRIPTION

A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer. The affected applications utilize persistent cookies where the session cookie attribute is not properly invalidated, allowing an attacker to intercept the cookies and gain access to sensitive information. Rosemount X-STREAM The following multiple vulnerabilities exist in. * Inadequate encryption strength (CWE-326) - CVE-2021-27457 ‥ * Unlimited upload of dangerous types of files (CWE-434) - CVE-2021-27459 ‥ * Past traversal (CWE-22) - CVE-2021-27461 ‥ * Contains sensitive information Cookie Permanent use of (CWE-539) - CVE-2021-27463 ‥ * Cross-site scripting (CWE-79) - CVE-2021-27465 ‥ * Inappropriate restrictions on rendered user interface layers or frames (CWE-1021) - CVE-2021-27467The expected impact depends on each vulnerability, but it may be affected as follows. * Credentials obtained by a remote third party - CVE-2021-27457 ‥ * Arbitrary code executed by a remote third party - CVE-2021-27459 ‥ * By a remote third party Web Access to sensitive data stored on the server - CVE-2021-27461 ‥ * By a remote third party Cookie Get sensitive information stored in - CVE-2021-27463 ‥ * By a remote third party Web Page tampered with displaying incorrect or unintended data - CVE-2021-27465 ‥ * A remote third party transfers the clicks and keystrokes made by the user to another page to obtain sensitive information. - CVE-2021-27467. The device supports gas analyzers of up to five components, with NDIR/UV/VIS photometer, paramagnetic and electrochemical O2, thermal conductivity and humidity sensors and other functions. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.79

sources: NVD: CVE-2021-27463 // JVNDB: JVNDB-2021-001505 // CNVD: CNVD-2021-37941 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-27463

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-37941

AFFECTED PRODUCTS

vendor:	emerson	model:	x-stream enhanced xegp	scope:	eq	version:	*	Trust: 1.0
vendor:	emerson	model:	x-stream enhanced xefd	scope:	eq	version:	*	Trust: 1.0
vendor:	emerson	model:	x-stream enhanced xexf	scope:	eq	version:	*	Trust: 1.0
vendor:	emerson	model:	x-stream enhanced xegk	scope:	eq	version:	*	Trust: 1.0
vendor:	エマソン	model:	rosemount x-stream	scope:	-	version:	-	Trust: 0.8
vendor:	エマソン	model:	rosemount x-stream	scope:	eq	version:	-	Trust: 0.8
vendor:	エマソン	model:	rosemount x-stream	scope:	eq	version:	enhanced xegp	Trust: 0.8
vendor:	エマソン	model:	rosemount x-stream	scope:	eq	version:	enhanced xegk	Trust: 0.8
vendor:	エマソン	model:	rosemount x-stream	scope:	eq	version:	enhanced xefd	Trust: 0.8
vendor:	エマソン	model:	rosemount x-stream	scope:	eq	version:	enhanced xexf	Trust: 0.8
vendor:	emerson	model:	x-stream enhanced xegp	scope:	-	version:	-	Trust: 0.6
vendor:	emerson	model:	x-stream enhanced xegk	scope:	-	version:	-	Trust: 0.6
vendor:	emerson	model:	x-stream enhanced xefd	scope:	-	version:	-	Trust: 0.6
vendor:	emerson	model:	x-stream enhanced xexf	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2021-37941 // JVNDB: JVNDB-2021-001505 // NVD: CVE-2021-27463

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-27463
value:	MEDIUM
Trust: 1.0
IPA:	JVNDB-2021-001505
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2021-37941
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202105-1235
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2021-27463
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
CNVD:	CNVD-2021-37941
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-27463
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0
IPA:	JVNDB-2021-001505
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-37941 // JVNDB: JVNDB-2021-001505 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-1235 // NVD: CVE-2021-27463

PROBLEMTYPE DATA

problemtype:	CWE-539	Trust: 1.0
problemtype:	Inappropriate restrictions on rendered user interface layers or frames (CWE-1021) [IPA Evaluation ]	Trust: 0.8
problemtype:	Path traversal (CWE-22) [IPA Evaluation ]	Trust: 0.8
problemtype:	Inadequate encryption strength (CWE-326) [IPA Evaluation ]	Trust: 0.8
problemtype:	Unlimited upload of dangerous types of files (CWE-434) [IPA Evaluation ]	Trust: 0.8
problemtype:	Permanent with important information Cookie Use of (CWE-539) [IPA Evaluation ]	Trust: 0.8
problemtype:	Cross-site scripting (CWE-79) [IPA Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-001505 // NVD: CVE-2021-27463

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202105-1235

TYPE

other

Trust: 1.2

sources: CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-1235

PATCH

title:	EmersonCyber Security NotificationAlert EMR.RMT20006-2	url:	https://www.emerson.com/documents/automation/security-notification-rosemount-x-stream-continuous-gas-analyzers-cyber-security-notification-en-7238500.pdf	Trust: 0.8
title:	Patch for Emerson Rosemount X-STREAM Gas Analyzer has unspecified vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/269051	Trust: 0.6
title:	Emerson Rosemount X-STREAM Gas Analyzer Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=152362	Trust: 0.6

sources: CNVD: CNVD-2021-37941 // JVNDB: JVNDB-2021-001505 // CNNVD: CNNVD-202105-1235

EXTERNAL IDS

db:	NVD	id:	CVE-2021-27463	Trust: 3.1
db:	ICS CERT	id:	ICSA-21-138-01	Trust: 2.5
db:	JVN	id:	JVNVU97128016	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-001505	Trust: 0.8
db:	CNVD	id:	CNVD-2021-37941	Trust: 0.6
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CS-HELP	id:	SB2021051909	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.1779	Trust: 0.6
db:	CNNVD	id:	CNNVD-202105-1235	Trust: 0.6
db:	VULMON	id:	CVE-2021-27463	Trust: 0.1

sources: CNVD: CNVD-2021-37941 // VULMON: CVE-2021-27463 // JVNDB: JVNDB-2021-001505 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-1235 // NVD: CVE-2021-27463

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-138-01	Trust: 3.1
url:	http://jvn.jp/cert/jvnvu97128016	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-27463	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021051909	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.1779	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2021-37941 // VULMON: CVE-2021-27463 // JVNDB: JVNDB-2021-001505 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-1235 // NVD: CVE-2021-27463

SOURCES

db:	CNVD	id:	CNVD-2021-37941
db:	VULMON	id:	CVE-2021-27463
db:	JVNDB	id:	JVNDB-2021-001505
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202105-1235
db:	NVD	id:	CVE-2021-27463

LAST UPDATE DATE

2024-08-14T13:16:45.120000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-37941	date:	2021-05-31T00:00:00
db:	VULMON	id:	CVE-2021-27463	date:	2021-05-20T00:00:00
db:	JVNDB	id:	JVNDB-2021-001505	date:	2021-05-24T06:08:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202105-1235	date:	2021-05-31T00:00:00
db:	NVD	id:	CVE-2021-27463	date:	2021-05-28T14:49:59.013

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-37941	date:	2021-05-31T00:00:00
db:	VULMON	id:	CVE-2021-27463	date:	2021-05-20T00:00:00
db:	JVNDB	id:	JVNDB-2021-001505	date:	2021-05-24T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202105-1235	date:	2021-05-18T00:00:00
db:	NVD	id:	CVE-2021-27463	date:	2021-05-20T12:15:08.197