CVE-2021-22860 - OpenCVE

EIC e-document system does not perform completed identity verification for sorting and filtering personnel data. The vulnerability allows remote attacker to obtain users’ credential information without logging in the system, and further acquire the privileged permissions and execute arbitrary commends.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Eic	E-document System

Configuration 1 [-]

OR	cpe:2.3:a:eic:e-document_system:2.9:::::::*
	cpe:2.3:a:eic:e-document_system:3.0.2:::::::*

No data.

References

Link	Providers
https://gist.github.com/tonykuo76/17d497b3472a80a5e8914227e81e6fa3
https://www.chtsecurity.com/news/12929036-924b-4b89-8a0e-3e7155e19011
https://www.twcert.org.tw/tw/cp-132-4518-c813c-1.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: twcert

Published: 2021-03-17T09:10:31.510444Z

Updated: 2024-09-16T16:12:43.224Z

Reserved: 2021-01-06T00:00:00

Link: CVE-2021-22860

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-03-17T09:15:12.670

Modified: 2021-03-23T15:35:19.390

Link: CVE-2021-22860

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "e-document system", "vendor": "Excellent Infotek Corporation", "versions": [{"status": "affected", "version": "0 3.0.2"}, {"status": "affected", "version": "0 2.9"}]}], "datePublic": "2021-03-17T00:00:00", "descriptions": [{"lang": "en", "value": "EIC e-document system does not perform completed identity verification for sorting and filtering personnel data. The vulnerability allows remote attacker to obtain users\u2019 credential information without logging in the system, and further acquire the privileged permissions and execute arbitrary commends."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Broken Authentication", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-03-17T09:10:31", "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.twcert.org.tw/tw/cp-132-4518-c813c-1.html"}, {"tags": ["x_refsource_MISC"], "url": "https://gist.github.com/tonykuo76/17d497b3472a80a5e8914227e81e6fa3"}, {"tags": ["x_refsource_MISC"], "url": "https://www.chtsecurity.com/news/12929036-924b-4b89-8a0e-3e7155e19011"}], "solutions": [{"lang": "en", "value": "Update to version 3.0.4"}], "source": {"advisory": "TVN-202101011", "discovery": "EXTERNAL"}, "title": "EIC e-document system - Broken Authentication", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "TWCERT/CC", "ASSIGNER": "cve@cert.org.tw", "DATE_PUBLIC": "2021-03-17T09:30:00.000Z", "ID": "CVE-2021-22860", "STATE": "PUBLIC", "TITLE": "EIC e-document system - Broken Authentication"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "e-document system", "version": {"version_data": [{"version_affected": "=", "version_name": "0", "version_value": "3.0.2"}, {"version_affected": "=", "version_name": "0", "version_value": "2.9"}]}}]}, "vendor_name": "Excellent Infotek Corporation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "EIC e-document system does not perform completed identity verification for sorting and filtering personnel data. The vulnerability allows remote attacker to obtain users\u2019 credential information without logging in the system, and further acquire the privileged permissions and execute arbitrary commends."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Broken Authentication"}]}]}, "references": {"reference_data": [{"name": "https://www.twcert.org.tw/tw/cp-132-4518-c813c-1.html", "refsource": "MISC", "url": "https://www.twcert.org.tw/tw/cp-132-4518-c813c-1.html"}, {"name": "https://gist.github.com/tonykuo76/17d497b3472a80a5e8914227e81e6fa3", "refsource": "MISC", "url": "https://gist.github.com/tonykuo76/17d497b3472a80a5e8914227e81e6fa3"}, {"name": "https://www.chtsecurity.com/news/12929036-924b-4b89-8a0e-3e7155e19011", "refsource": "MISC", "url": "https://www.chtsecurity.com/news/12929036-924b-4b89-8a0e-3e7155e19011"}]}, "solution": [{"lang": "en", "value": "Update to version 3.0.4"}], "source": {"advisory": "TVN-202101011", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:51:07.538Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.twcert.org.tw/tw/cp-132-4518-c813c-1.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gist.github.com/tonykuo76/17d497b3472a80a5e8914227e81e6fa3"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.chtsecurity.com/news/12929036-924b-4b89-8a0e-3e7155e19011"}]}]}, "cveMetadata": {"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "assignerShortName": "twcert", "cveId": "CVE-2021-22860", "datePublished": "2021-03-17T09:10:31.510444Z", "dateReserved": "2021-01-06T00:00:00", "dateUpdated": "2024-09-16T16:12:43.224Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eic:e-document_system:2.9:*:*:*:*:*:*:*", "matchCriteriaId": "CF2502A7-E3EE-4332-BE44-8D96B74661C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:eic:e-document_system:3.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "36D6184C-8C14-4FC0-8995-8E23CA91A53A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "EIC e-document system does not perform completed identity verification for sorting and filtering personnel data. The vulnerability allows remote attacker to obtain users\u2019 credential information without logging in the system, and further acquire the privileged permissions and execute arbitrary commends."}, {"lang": "es", "value": "El sistema de e-document de EIC, no lleva a cabo una comprobaci\u00f3n de identidad completa para clasificar y filtrar los datos del personal. La vulnerabilidad permite a un atacante remoto obtener la informaci\u00f3n de las credenciales de los usuarios sin iniciar sesi\u00f3n en el sistema, y ??adem\u00e1s adquirir los permisos privilegiados y ejecutar recomendaciones arbitrarias"}], "id": "CVE-2021-22860", "lastModified": "2021-03-23T15:35:19.390", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "twcert@cert.org.tw", "type": "Secondary"}]}, "published": "2021-03-17T09:15:12.670", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://gist.github.com/tonykuo76/17d497b3472a80a5e8914227e81e6fa3"}, {"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.chtsecurity.com/news/12929036-924b-4b89-8a0e-3e7155e19011"}, {"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-4518-c813c-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}