Details of VAR-202106-1954

ID

VAR-202106-1954

CVE

CVE-2021-32960

TITLE

Pillow Buffer error vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

DESCRIPTION

Rockwell Automation FactoryTalk Services Platform v6.11 and earlier, if FactoryTalk Security is enabled and deployed contains a vulnerability that may allow a remote, authenticated attacker to bypass FactoryTalk Security policies based on the computer name. If successfully exploited, this may allow an attacker to have the same privileges as if they were logged on to the client machine. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Rockwell Automation FactoryTalk Services Platform is a service platform composed of multiple products of Rockwell Automation in the United States. It provides routine services for applications, such as diagnostic information, health monitoring and real-time data access

Trust: 1.53

sources: NVD: CVE-2021-32960 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-392946

AFFECTED PRODUCTS

vendor:

rockwellautomation

model:

factorytalk services platform

scope:

lte

version:

6.11.00

Trust: 1.0

sources: NVD: CVE-2021-32960

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-32960
value:	HIGH
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2021-32960
value:	HIGH
Trust: 1.0
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202106-792
value:	HIGH
Trust: 0.6
VULHUB:	VHN-392946
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-32960
severity:	MEDIUM
baseScore:	6.0
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.8
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-392946
severity:	MEDIUM
baseScore:	6.0
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.8
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-32960
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2021-32960
baseSeverity:	HIGH
baseScore:	8.5
vectorString:	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	6.0
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-392946 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-792 // NVD: CVE-2021-32960 // NVD: CVE-2021-32960

PROBLEMTYPE DATA

problemtype:	CWE-863	Trust: 1.1
problemtype:	CWE-693	Trust: 1.0

sources: VULHUB: VHN-392946 // NVD: CVE-2021-32960

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202106-792

TYPE

other

Trust: 1.2

sources: CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-792

EXTERNAL IDS

db:	ICS CERT	id:	ICSA-21-161-01	Trust: 1.7
db:	NVD	id:	CVE-2021-32960	Trust: 1.7
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.2107	Trust: 0.6
db:	CS-HELP	id:	SB2021061104	Trust: 0.6
db:	CNNVD	id:	CNNVD-202106-792	Trust: 0.6
db:	VULHUB	id:	VHN-392946	Trust: 0.1

sources: VULHUB: VHN-392946 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-792 // NVD: CVE-2021-32960

REFERENCES

url:	https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131785	Trust: 1.7
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-21-161-01	Trust: 1.7
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021061104	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.2107	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2021-32960/	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-161-01	Trust: 0.6

sources: VULHUB: VHN-392946 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-792 // NVD: CVE-2021-32960

CREDITS

Rockwell Automation reported this vulnerability to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202106-792

SOURCES

db:	VULHUB	id:	VHN-392946
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202106-792
db:	NVD	id:	CVE-2021-32960

LAST UPDATE DATE

2025-04-17T20:03:18.670000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-392946	date:	2022-04-12T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202106-792	date:	2022-04-13T00:00:00
db:	NVD	id:	CVE-2021-32960	date:	2025-04-17T16:15:23.433

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-392946	date:	2022-04-01T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202106-792	date:	2021-06-10T00:00:00
db:	NVD	id:	CVE-2021-32960	date:	2022-04-01T23:15:09.817