CVE-2021-23276 - OpenCVE

Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated SQL injection. A malicious user can send a specially crafted packet to exploit the vulnerability. Successful exploitation of this vulnerability can allow attackers to add users in the data base.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Eaton	Intelligent Power Manager Intelligent Power Manager Virtual Appliance Intelligent Power Protector

Configuration 1 [-]

OR	cpe:2.3:a:eaton:intelligent_power_manager::::::::
	cpe:2.3:a:eaton:intelligent_power_manager_virtual_appliance::::::::
	cpe:2.3:a:eaton:intelligent_power_protector::::::::

No data.

References

Link	Providers
https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf

History

Tue, 17 Sep 2024 02:30:00 +0000

Type	Values Removed	Values Added
Title	Improper Neutralization of Special Elements used in an SQL Command	Improper Neutralization of Special Elements used in an SQL Command

MITRE

Status: PUBLISHED

Assigner: Eaton

Published: 2021-04-13T18:03:08.524940Z

Updated: 2024-09-17T02:22:03.243Z

Reserved: 2021-01-08T00:00:00

Link: CVE-2021-23276

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-04-13T19:15:14.600

Modified: 2021-04-21T15:29:31.947

Link: CVE-2021-23276

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Intelligent Power manager (IPM)", "vendor": "Eaton", "versions": [{"lessThan": "1.69", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Amir Preminger from Claroty research"}], "datePublic": "2021-04-01T00:00:00", "descriptions": [{"lang": "en", "value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated SQL injection. A malicious user can send a specially crafted packet to exploit the vulnerability. Successful exploitation of this vulnerability can allow attackers to add users in the data base."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-04-13T18:03:08", "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759", "shortName": "Eaton"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"}], "solutions": [{"lang": "en", "value": "upgrade the software to latest version 1.69"}], "source": {"advisory": "ETN-VA-2021-1000", "defect": ["ETN-VA-2021-1000"], "discovery": "EXTERNAL"}, "title": "Improper Neutralization of Special Elements used in an SQL Command", "workarounds": [{"lang": "en", "value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 & 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "SQL Injection", "ASSIGNER": "CybersecurityCOE@eaton.com", "DATE_PUBLIC": "2021-04-01T07:00:00.000Z", "ID": "CVE-2021-23276", "STATE": "PUBLIC", "TITLE": "Improper Neutralization of Special Elements used in an SQL Command"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Intelligent Power manager (IPM)", "version": {"version_data": [{"version_affected": "<", "version_value": "1.69"}]}}]}, "vendor_name": "Eaton"}]}}, "credit": [{"lang": "eng", "value": "Amir Preminger from Claroty research"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated SQL injection. A malicious user can send a specially crafted packet to exploit the vulnerability. Successful exploitation of this vulnerability can allow attackers to add users in the data base."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89 SQL Injection"}]}]}, "references": {"reference_data": [{"name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf", "refsource": "MISC", "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"}]}, "solution": [{"lang": "en", "value": "upgrade the software to latest version 1.69"}], "source": {"advisory": "ETN-VA-2021-1000", "defect": ["ETN-VA-2021-1000"], "discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "To prevent the exploitation of the issues and safeguard the software from malicious entities, Eaton recommends blocking ports 4679 & 4680 at the enterprise network or home network where Intelligent Power Manager (IPM) software is installed and used"}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:05:54.415Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"}]}]}, "cveMetadata": {"assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759", "assignerShortName": "Eaton", "cveId": "CVE-2021-23276", "datePublished": "2021-04-13T18:03:08.524940Z", "dateReserved": "2021-01-08T00:00:00", "dateUpdated": "2024-09-17T02:22:03.243Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eaton:intelligent_power_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "5E2C63CA-B479-49C4-8C98-F5AE9BF06A2F", "versionEndExcluding": "1.69", "vulnerable": true}, {"criteria": "cpe:2.3:a:eaton:intelligent_power_manager_virtual_appliance:*:*:*:*:*:*:*:*", "matchCriteriaId": "10CFCD42-A9D6-468B-9287-03B4341B129A", "versionEndExcluding": "1.69", "vulnerable": true}, {"criteria": "cpe:2.3:a:eaton:intelligent_power_protector:*:*:*:*:*:*:*:*", "matchCriteriaId": "4A67B7A8-E508-4854-9437-BF702692948C", "versionEndExcluding": "1.68", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated SQL injection. A malicious user can send a specially crafted packet to exploit the vulnerability. Successful exploitation of this vulnerability can allow attackers to add users in the data base."}, {"lang": "es", "value": "Eaton Intelligent Power Manager (IPM) versiones anteriores a 1.69, es vulnerable a una inyecci\u00f3n de SQL autenticado. Un usuario malicioso puede enviar un paquete especialmente dise\u00f1ado para explotar la vulnerabilidad. Una explotaci\u00f3n con \u00e9xito de esta vulnerabilidad puede permitir a atacantes agregar usuarios a la base de datos"}], "id": "CVE-2021-23276", "lastModified": "2021-04-21T15:29:31.947", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "CybersecurityCOE@eaton.com", "type": "Secondary"}]}, "published": "2021-04-13T19:15:14.600", "references": [{"source": "CybersecurityCOE@eaton.com", "tags": ["Vendor Advisory"], "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"}], "sourceIdentifier": "CybersecurityCOE@eaton.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "CybersecurityCOE@eaton.com", "type": "Secondary"}]}