Details of VAR-202202-1215

ID

VAR-202202-1215

CVE

CVE-2021-22823

TITLE

Interactive Graphical SCADA System Data Collector Vulnerability regarding lack of authentication for critical features in

Trust: 0.8

sources: JVNDB: JVNDB-2021-018346

DESCRIPTION

A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause deletion of arbitrary files in the context of the user running IGSS due to lack of validation of network messages. Affected Product: Interactive Graphical SCADA System Data Collector (dc.exe) (V15.0.0.21320 and prior). Schneider Electric Interactive Graphical SCADA System (IGSS) is a set of SCADA (Data Acquisition and Supervisory Control System) systems used by Schneider Electric in France to monitor and control industrial processes

Trust: 2.16

sources: NVD: CVE-2021-22823 // JVNDB: JVNDB-2021-018346 // CNVD: CNVD-2022-13067

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-13067

AFFECTED PRODUCTS

vendor:	schneider electric	model:	interactive graphical scada system data collector	scope:	lte	version:	15.0.0.21320	Trust: 1.0
vendor:	schneider electric	model:	interactive graphical scada system data collector	scope:	lte	version:	15.0.0.21320 and earlier	Trust: 0.8
vendor:	schneider electric	model:	interactive graphical scada system data collector	scope:	eq	version:	-	Trust: 0.8
vendor:	schneider	model:	electric interactive graphical scada system	scope:	lte	version:	<=15.0.0.21320	Trust: 0.6

sources: CNVD: CNVD-2022-13067 // JVNDB: JVNDB-2021-018346 // NVD: CVE-2021-22823

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-22823
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2021-22823
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2022-13067
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202202-1051
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2021-22823
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2022-13067
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-22823
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.2
version:	3.1
Trust: 1.0
NVD:	CVE-2021-22823
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-13067 // JVNDB: JVNDB-2021-018346 // CNNVD: CNNVD-202202-1051 // NVD: CVE-2021-22823

PROBLEMTYPE DATA

problemtype:	CWE-306	Trust: 1.0
problemtype:	Lack of authentication for critical features (CWE-306) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-018346 // NVD: CVE-2021-22823

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202202-1051

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202202-1051

PATCH

title:	SEVD-2021-348-01	url:	https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-348-01	Trust: 0.8
title:	Patch for Schneider Electric Interactive Graphical SCADA System Access Control Error Vulnerability (CNVD-2022-13067)	url:	https://www.cnvd.org.cn/patchInfo/show/321196	Trust: 0.6
title:	Schneider Electric Interactive Graphical SCADA System Fixes for access control error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=182987	Trust: 0.6

sources: CNVD: CNVD-2022-13067 // JVNDB: JVNDB-2021-018346 // CNNVD: CNNVD-202202-1051

EXTERNAL IDS

db:	NVD	id:	CVE-2021-22823	Trust: 3.8
db:	SCHNEIDER	id:	SEVD-2021-348-01	Trust: 2.2
db:	JVNDB	id:	JVNDB-2021-018346	Trust: 0.8
db:	CNVD	id:	CNVD-2022-13067	Trust: 0.6
db:	CS-HELP	id:	SB2022021504	Trust: 0.6
db:	CNNVD	id:	CNNVD-202202-1051	Trust: 0.6

sources: CNVD: CNVD-2022-13067 // JVNDB: JVNDB-2021-018346 // CNNVD: CNNVD-202202-1051 // NVD: CVE-2021-22823

REFERENCES

url:	https://download.schneider-electric.com/files?p_doc_ref=sevd-2021-348-01	Trust: 2.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-22823	Trust: 1.4
url:	https://www.cybersecurity-help.cz/vdb/sb2022021504	Trust: 0.6

sources: CNVD: CNVD-2022-13067 // JVNDB: JVNDB-2021-018346 // CNNVD: CNNVD-202202-1051 // NVD: CVE-2021-22823

SOURCES

db:	CNVD	id:	CNVD-2022-13067
db:	JVNDB	id:	JVNDB-2021-018346
db:	CNNVD	id:	CNNVD-202202-1051
db:	NVD	id:	CVE-2021-22823

LAST UPDATE DATE

2024-08-14T14:55:36.624000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-13067	date:	2022-06-13T00:00:00
db:	JVNDB	id:	JVNDB-2021-018346	date:	2023-06-01T03:01:00
db:	CNNVD	id:	CNNVD-202202-1051	date:	2022-03-10T00:00:00
db:	NVD	id:	CVE-2021-22823	date:	2022-02-18T18:28:20.790

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-13067	date:	2022-02-22T00:00:00
db:	JVNDB	id:	JVNDB-2021-018346	date:	2023-06-01T00:00:00
db:	CNNVD	id:	CNNVD-202202-1051	date:	2022-02-11T00:00:00
db:	NVD	id:	CVE-2021-22823	date:	2022-02-11T18:15:09.570