Details of VAR-202105-0686

ID

VAR-202105-0686

CVE

CVE-2021-27467

TITLE

Emerson Made Rosemount X-STREAM Multiple vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2021-001505

DESCRIPTION

A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer. The affected product’s web interface allows an attacker to route click or keystroke to another page provided by the attacker to gain unauthorized access to sensitive information. Rosemount X-STREAM The following multiple vulnerabilities exist in. * Inadequate encryption strength (CWE-326) - CVE-2021-27457 ‥ * Unlimited upload of dangerous types of files (CWE-434) - CVE-2021-27459 ‥ * Past traversal (CWE-22) - CVE-2021-27461 ‥ * Contains sensitive information Cookie Permanent use of (CWE-539) - CVE-2021-27463 ‥ * Cross-site scripting (CWE-79) - CVE-2021-27465 ‥ * Inappropriate restrictions on rendered user interface layers or frames (CWE-1021) - CVE-2021-27467The expected impact depends on each vulnerability, but it may be affected as follows. * Credentials obtained by a remote third party - CVE-2021-27457 ‥ * Arbitrary code executed by a remote third party - CVE-2021-27459 ‥ * By a remote third party Web Access to sensitive data stored on the server - CVE-2021-27461 ‥ * By a remote third party Cookie Get sensitive information stored in - CVE-2021-27463 ‥ * By a remote third party Web Page tampered with displaying incorrect or unintended data - CVE-2021-27465 ‥ * A remote third party transfers the clicks and keystrokes made by the user to another page to obtain sensitive information. - CVE-2021-27467. The device supports gas analyzers of up to five components, with NDIR/UV/VIS photometer, paramagnetic and electrochemical O2, thermal conductivity and humidity sensors and other functions. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.79

sources: NVD: CVE-2021-27467 // JVNDB: JVNDB-2021-001505 // CNVD: CNVD-2021-37939 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-27467

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-37939

AFFECTED PRODUCTS

vendor:	emerson	model:	x-stream enhanced xegp	scope:	eq	version:	*	Trust: 1.0
vendor:	emerson	model:	x-stream enhanced xefd	scope:	eq	version:	*	Trust: 1.0
vendor:	emerson	model:	x-stream enhanced xexf	scope:	eq	version:	*	Trust: 1.0
vendor:	emerson	model:	x-stream enhanced xegk	scope:	eq	version:	*	Trust: 1.0
vendor:	エマソン	model:	rosemount x-stream	scope:	-	version:	-	Trust: 0.8
vendor:	エマソン	model:	rosemount x-stream	scope:	eq	version:	-	Trust: 0.8
vendor:	エマソン	model:	rosemount x-stream	scope:	eq	version:	enhanced xegp	Trust: 0.8
vendor:	エマソン	model:	rosemount x-stream	scope:	eq	version:	enhanced xegk	Trust: 0.8
vendor:	エマソン	model:	rosemount x-stream	scope:	eq	version:	enhanced xefd	Trust: 0.8
vendor:	エマソン	model:	rosemount x-stream	scope:	eq	version:	enhanced xexf	Trust: 0.8
vendor:	emerson	model:	x-stream enhanced xegp	scope:	-	version:	-	Trust: 0.6
vendor:	emerson	model:	x-stream enhanced xegk	scope:	-	version:	-	Trust: 0.6
vendor:	emerson	model:	x-stream enhanced xefd	scope:	-	version:	-	Trust: 0.6
vendor:	emerson	model:	x-stream enhanced xexf	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2021-37939 // JVNDB: JVNDB-2021-001505 // NVD: CVE-2021-27467

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-27467
value:	MEDIUM
Trust: 1.0
IPA:	JVNDB-2021-001505
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2021-37939
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202105-1233
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2021-27467
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
CNVD:	CNVD-2021-37939
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-27467
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
IPA:	JVNDB-2021-001505
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-37939 // JVNDB: JVNDB-2021-001505 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-1233 // NVD: CVE-2021-27467

PROBLEMTYPE DATA

problemtype:	CWE-1021	Trust: 1.0
problemtype:	Inappropriate restrictions on rendered user interface layers or frames (CWE-1021) [IPA Evaluation ]	Trust: 0.8
problemtype:	Path traversal (CWE-22) [IPA Evaluation ]	Trust: 0.8
problemtype:	Inadequate encryption strength (CWE-326) [IPA Evaluation ]	Trust: 0.8
problemtype:	Unlimited upload of dangerous types of files (CWE-434) [IPA Evaluation ]	Trust: 0.8
problemtype:	Permanent with important information Cookie Use of (CWE-539) [IPA Evaluation ]	Trust: 0.8
problemtype:	Cross-site scripting (CWE-79) [IPA Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-001505 // NVD: CVE-2021-27467

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202105-1233

TYPE

other

Trust: 1.2

sources: CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-1233

PATCH

title:	EmersonCyber Security NotificationAlert EMR.RMT20006-2	url:	https://www.emerson.com/documents/automation/security-notification-rosemount-x-stream-continuous-gas-analyzers-cyber-security-notification-en-7238500.pdf	Trust: 0.8
title:	Patch for Emerson Rosemount X-STREAM Gas Analyzer has an unspecified vulnerability (CNVD-2021-37939)	url:	https://www.cnvd.org.cn/patchInfo/show/269061	Trust: 0.6
title:	Emerson Rosemount X-STREAM Gas Analyzer Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=152360	Trust: 0.6

sources: CNVD: CNVD-2021-37939 // JVNDB: JVNDB-2021-001505 // CNNVD: CNNVD-202105-1233

EXTERNAL IDS

db:	NVD	id:	CVE-2021-27467	Trust: 3.1
db:	ICS CERT	id:	ICSA-21-138-01	Trust: 2.5
db:	JVN	id:	JVNVU97128016	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-001505	Trust: 0.8
db:	CNVD	id:	CNVD-2021-37939	Trust: 0.6
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CS-HELP	id:	SB2021051909	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.1779	Trust: 0.6
db:	CNNVD	id:	CNNVD-202105-1233	Trust: 0.6
db:	VULMON	id:	CVE-2021-27467	Trust: 0.1

sources: CNVD: CNVD-2021-37939 // VULMON: CVE-2021-27467 // JVNDB: JVNDB-2021-001505 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-1233 // NVD: CVE-2021-27467

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-138-01	Trust: 3.1
url:	http://jvn.jp/cert/jvnvu97128016	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-27467	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021051909	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.1779	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2021-37939 // VULMON: CVE-2021-27467 // JVNDB: JVNDB-2021-001505 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202105-1233 // NVD: CVE-2021-27467

SOURCES

db:	CNVD	id:	CNVD-2021-37939
db:	VULMON	id:	CVE-2021-27467
db:	JVNDB	id:	JVNDB-2021-001505
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202105-1233
db:	NVD	id:	CVE-2021-27467

LAST UPDATE DATE

2024-08-14T12:43:57.194000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-37939	date:	2021-05-31T00:00:00
db:	VULMON	id:	CVE-2021-27467	date:	2021-05-20T00:00:00
db:	JVNDB	id:	JVNDB-2021-001505	date:	2021-05-24T06:08:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202105-1233	date:	2021-05-31T00:00:00
db:	NVD	id:	CVE-2021-27467	date:	2021-05-28T14:43:27.937

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-37939	date:	2021-05-31T00:00:00
db:	VULMON	id:	CVE-2021-27467	date:	2021-05-20T00:00:00
db:	JVNDB	id:	JVNDB-2021-001505	date:	2021-05-24T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202105-1233	date:	2021-05-18T00:00:00
db:	NVD	id:	CVE-2021-27467	date:	2021-05-20T12:15:08.277