CVE-2021-22278 - OpenCVE

A certificate validation vulnerability in PCM600 Update Manager allows attacker to get unwanted software packages to be installed on computer which has PCM600 installed.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Abb	Update Manager
Hitachienergy	Pcm600

Configuration 1 [-]

OR	cpe:2.3:a:abb:update_manager:2.1:::::::*
	cpe:2.3:a:abb:update_manager:2.1.0.4:::::::*
	cpe:2.3:a:abb:update_manager:2.2:::::::*
	cpe:2.3:a:abb:update_manager:2.2.0.1:::::::*
	cpe:2.3:a:abb:update_manager:2.2.0.2:::::::*
	cpe:2.3:a:abb:update_manager:2.2.0.23:::::::*
	cpe:2.3:a:abb:update_manager:2.3.0.60:::::::*
	cpe:2.3:a:abb:update_manager:2.4.20041.1:::::::*
	cpe:2.3:a:abb:update_manager:2.4.20119.2:::::::*

Configuration 2 [-]

AND

cpe:2.3:a:abb:update_manager:*:*:*:*:*:*:*:*

cpe:2.3:h:hitachienergy:pcm600:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142&LanguageCode=en&DocumentPartId=&Action=Launch
https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056&LanguageCode=en&DocumentPartId=&Action=Launch

History

No history.

MITRE

Status: PUBLISHED

Assigner: ABB

Published: 2021-10-28T12:45:58.086957Z

Updated: 2024-09-16T18:23:59.443Z

Reserved: 2021-01-05T00:00:00

Link: CVE-2021-22278

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-10-28T13:15:08.203

Modified: 2023-05-16T20:56:48.347

Link: CVE-2021-22278

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "PCM600", "vendor": "ABB", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "2.7", "versionType": "custom"}, {"lessThanOrEqual": "2.10", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "PCM600 Update Manager", "vendor": "ABB", "versions": [{"status": "affected", "version": "2.1"}, {"status": "affected", "version": "2.1.0.4"}, {"status": "affected", "version": "2.2"}, {"status": "affected", "version": "2.2.0.1"}, {"status": "affected", "version": "2.2.0.2"}, {"status": "affected", "version": "2.2.0.23"}, {"status": "affected", "version": "2.3.0.60"}, {"status": "affected", "version": "2.4.20041.1"}, {"status": "affected", "version": "2.4.20119.2"}]}, {"product": "PCM600", "vendor": "Hitachi Energy", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "2.7", "versionType": "custom"}, {"lessThanOrEqual": "2.10", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "PCM600 Update Manager", "vendor": "Hitachi Energy", "versions": [{"status": "affected", "version": "2.1"}, {"status": "affected", "version": "2.1.0.4"}, {"status": "affected", "version": "2.2"}, {"status": "affected", "version": "2.2.0.1"}, {"status": "affected", "version": "2.2.0.2"}, {"status": "affected", "version": "2.2.0.23"}, {"status": "affected", "version": "2.3.0.60"}, {"status": "affected", "version": "2.4.20041.1"}, {"status": "affected", "version": "2.4.20119.2"}]}], "credits": [{"lang": "en", "value": "ABB and Hitachi Energy thank CyTRICS researcher May Chaffin for helping to identify the vulnerabilities and protecting our customers."}], "datePublic": "2021-10-19T00:00:00", "descriptions": [{"lang": "en", "value": "A certificate validation vulnerability in PCM600 Update Manager allows attacker to get unwanted software packages to be installed on computer which has PCM600 installed."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "description": "CWE-295 Improper Certificate Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-10-28T12:45:58", "orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9", "shortName": "ABB"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142&LanguageCode=en&DocumentPartId=&Action=Launch"}, {"tags": ["x_refsource_MISC"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056&LanguageCode=en&DocumentPartId=&Action=Launch"}], "solutions": [{"lang": "en", "value": "Install latest PCM600 Update Manager version 2.4.21218.1 or newer."}], "source": {"discovery": "UNKNOWN"}, "title": "Certificate verification vulnerability in Update Manager of PCM600 Engineering Tool", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cybersecurity@ch.abb.com", "DATE_PUBLIC": "2021-10-19T10:02:00.000Z", "ID": "CVE-2021-22278", "STATE": "PUBLIC", "TITLE": "Certificate verification vulnerability in Update Manager of PCM600 Engineering Tool"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "PCM600", "version": {"version_data": [{"version_affected": ">=", "version_value": "2.7"}, {"version_affected": "<=", "version_value": "2.10"}]}}, {"product_name": "PCM600 Update Manager", "version": {"version_data": [{"version_affected": "=", "version_value": "2.1"}, {"version_affected": "=", "version_value": "2.1.0.4"}, {"version_affected": "=", "version_value": "2.2"}, {"version_affected": "=", "version_value": "2.2.0.1"}, {"version_affected": "=", "version_value": "2.2.0.2"}, {"version_affected": "=", "version_value": "2.2.0.23"}, {"version_affected": "=", "version_value": "2.3.0.60"}, {"version_affected": "=", "version_value": "2.4.20041.1"}, {"version_affected": "=", "version_value": "2.4.20119.2"}]}}]}, "vendor_name": "ABB"}, {"product": {"product_data": [{"product_name": "PCM600", "version": {"version_data": [{"version_affected": ">=", "version_value": "2.7"}, {"version_affected": "<=", "version_value": "2.10"}]}}, {"product_name": "PCM600 Update Manager", "version": {"version_data": [{"version_affected": "=", "version_value": "2.1"}, {"version_affected": "=", "version_value": "2.1.0.4"}, {"version_affected": "=", "version_value": "2.2"}, {"version_affected": "=", "version_value": "2.2.0.1"}, {"version_affected": "=", "version_value": "2.2.0.2"}, {"version_affected": "=", "version_value": "2.2.0.23"}, {"version_affected": "=", "version_value": "2.3.0.60"}, {"version_affected": "=", "version_value": "2.4.20041.1"}, {"version_affected": "=", "version_value": "2.4.20119.2"}]}}]}, "vendor_name": "Hitachi Energy"}]}}, "credit": [{"lang": "eng", "value": "ABB and Hitachi Energy thank CyTRICS researcher May Chaffin for helping to identify the vulnerabilities and protecting our customers."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A certificate validation vulnerability in PCM600 Update Manager allows attacker to get unwanted software packages to be installed on computer which has PCM600 installed."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-295 Improper Certificate Validation"}]}]}, "references": {"reference_data": [{"name": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142&LanguageCode=en&DocumentPartId=&Action=Launch", "refsource": "MISC", "url": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142&LanguageCode=en&DocumentPartId=&Action=Launch"}, {"name": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056&LanguageCode=en&DocumentPartId=&Action=Launch", "refsource": "MISC", "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056&LanguageCode=en&DocumentPartId=&Action=Launch"}]}, "solution": [{"lang": "en", "value": "Install latest PCM600 Update Manager version 2.4.21218.1 or newer."}], "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:37:18.443Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142&LanguageCode=en&DocumentPartId=&Action=Launch"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056&LanguageCode=en&DocumentPartId=&Action=Launch"}]}]}, "cveMetadata": {"assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9", "assignerShortName": "ABB", "cveId": "CVE-2021-22278", "datePublished": "2021-10-28T12:45:58.086957Z", "dateReserved": "2021-01-05T00:00:00", "dateUpdated": "2024-09-16T18:23:59.443Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:abb:update_manager:2.1:*:*:*:*:*:*:*", "matchCriteriaId": "270D7F57-336B-4529-A80B-54E7285A748C", "vulnerable": true}, {"criteria": "cpe:2.3:a:abb:update_manager:2.1.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "F3C761D5-31F0-4A1C-B25B-D6672E6CCFA4", "vulnerable": true}, {"criteria": "cpe:2.3:a:abb:update_manager:2.2:*:*:*:*:*:*:*", "matchCriteriaId": "D90D0E2D-D673-42B1-BF93-6A46CCB4FC4E", "vulnerable": true}, {"criteria": "cpe:2.3:a:abb:update_manager:2.2.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "E7566688-A986-454E-85E2-30C410F036F5", "vulnerable": true}, {"criteria": "cpe:2.3:a:abb:update_manager:2.2.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "E54590EC-81E2-4EB7-B9FA-FBD8D3EF68F0", "vulnerable": true}, {"criteria": "cpe:2.3:a:abb:update_manager:2.2.0.23:*:*:*:*:*:*:*", "matchCriteriaId": "950F2775-4C0E-4C89-B9A5-E57C8AB7E358", "vulnerable": true}, {"criteria": "cpe:2.3:a:abb:update_manager:2.3.0.60:*:*:*:*:*:*:*", "matchCriteriaId": "B9641E06-083B-4D62-A589-CBD33842E4F7", "vulnerable": true}, {"criteria": "cpe:2.3:a:abb:update_manager:2.4.20041.1:*:*:*:*:*:*:*", "matchCriteriaId": "013A5B85-B035-459F-8D7D-1CD6ABA0BA06", "vulnerable": true}, {"criteria": "cpe:2.3:a:abb:update_manager:2.4.20119.2:*:*:*:*:*:*:*", "matchCriteriaId": "634F2294-B68D-4729-B794-DBCED5283F96", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:abb:update_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "35E421FD-7C58-42B8-9D32-82D68763D59B", "versionEndIncluding": "2.10", "versionStartIncluding": "2.7", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:hitachienergy:pcm600:-:*:*:*:*:*:*:*", "matchCriteriaId": "A68C99C9-B2C1-4ADD-9B06-2BE60B583D30", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A certificate validation vulnerability in PCM600 Update Manager allows attacker to get unwanted software packages to be installed on computer which has PCM600 installed."}, {"lang": "es", "value": "Una vulnerabilidad de comprobaci\u00f3n de certificados en PCM600 Update Manager permite a un atacante conseguir que se instalen paquetes de software no deseados en el ordenador que presenta instalado el PCM600"}], "id": "CVE-2021-22278", "lastModified": "2023-05-16T20:56:48.347", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "cybersecurity@ch.abb.com", "type": "Secondary"}]}, "published": "2021-10-28T13:15:08.203", "references": [{"source": "cybersecurity@ch.abb.com", "tags": ["Vendor Advisory"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001142&LanguageCode=en&DocumentPartId=&Action=Launch"}, {"source": "cybersecurity@ch.abb.com", "tags": ["Vendor Advisory"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000056&LanguageCode=en&DocumentPartId=&Action=Launch"}], "sourceIdentifier": "cybersecurity@ch.abb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-295"}], "source": "cybersecurity@ch.abb.com", "type": "Secondary"}]}