CVE-2021-23287 - Vulnerability Details - OpenCVE

The vulnerability exists due to insufficient validation of input of certain resources within the IPM software. This issue affects: Intelligent Power Manager (IPM 1) versions prior to 1.70.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00357.

Key SSVC decision points have not yet been added.

Vendors	Products
Eaton	Intelligent Power Manager

Configuration 1 [-]

cpe:2.3:a:eaton:intelligent_power_manager:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2021-10382	The vulnerability exists due to insufficient validation of input of certain resources within the IPM software. This issue affects: Intelligent Power Manager (IPM 1) versions prior to 1.70.

Fixes

Solution

Eaton has patched these security issues and new versions of the affected software are released. The latest versions can be downloaded from below location: - Eaton IPM v1.70 – https://www.eaton.com/us/en-us/digital/brightlayer/brightlayer-data-centers-suite/disaster-avoidance-software.html

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Manager-Vulnerability-Advisory_1002a_V1.0.pdf

History

No history.

MITRE

Status: PUBLISHED

Assigner: Eaton

Published: 2022-04-01T22:17:33.721749Z

Updated: 2024-09-16T20:59:12.709Z

Reserved: 2021-01-08T00:00:00

Link: CVE-2021-23287

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-04-01T23:15:08.940

Modified: 2024-11-21T05:51:30.283

Link: CVE-2021-23287

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Intelligent Power Manager (IPM 1)", "vendor": "Eaton", "versions": [{"lessThan": "1.70", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Eaton thanks the below researchers for the coordinated support on the security vulnerabilities: - \u2022 CVE-2021-23287 \u2013 Andreas Finstad and Arthur Donkers"}], "datePublic": "2022-02-08T00:00:00", "descriptions": [{"lang": "en", "value": "The vulnerability exists due to insufficient validation of input of certain resources within the IPM software. This issue affects: Intelligent Power Manager (IPM 1) versions prior to 1.70."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-01T22:17:33", "orgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759", "shortName": "Eaton"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Manager-Vulnerability-Advisory_1002a_V1.0.pdf"}], "solutions": [{"lang": "en", "value": "Eaton has patched these security issues and new versions of the affected software are released. The latest versions can be downloaded from below location: -\nEaton IPM v1.70 \u2013 https://www.eaton.com/us/en-us/digital/brightlayer/brightlayer-data-centers-suite/disaster-avoidance-software.html"}], "source": {"advisory": "ETN-VA-2021-1002a", "discovery": "EXTERNAL"}, "title": "Security issues in Intelligent Power Manager (IPM 1)", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "CybersecurityCOE@eaton.com", "DATE_PUBLIC": "2022-02-08T11:20:00.000Z", "ID": "CVE-2021-23287", "STATE": "PUBLIC", "TITLE": "Security issues in Intelligent Power Manager (IPM 1)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Intelligent Power Manager (IPM 1)", "version": {"version_data": [{"version_affected": "<", "version_value": "1.70"}]}}]}, "vendor_name": "Eaton"}]}}, "credit": [{"lang": "eng", "value": "Eaton thanks the below researchers for the coordinated support on the security vulnerabilities: - \u2022 CVE-2021-23287 \u2013 Andreas Finstad and Arthur Donkers"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The vulnerability exists due to insufficient validation of input of certain resources within the IPM software. This issue affects: Intelligent Power Manager (IPM 1) versions prior to 1.70."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Manager-Vulnerability-Advisory_1002a_V1.0.pdf", "refsource": "MISC", "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Manager-Vulnerability-Advisory_1002a_V1.0.pdf"}]}, "solution": [{"lang": "en", "value": "Eaton has patched these security issues and new versions of the affected software are released. The latest versions can be downloaded from below location: -\nEaton IPM v1.70 \u2013 https://www.eaton.com/us/en-us/digital/brightlayer/brightlayer-data-centers-suite/disaster-avoidance-software.html"}], "source": {"advisory": "ETN-VA-2021-1002a", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:05:55.560Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Manager-Vulnerability-Advisory_1002a_V1.0.pdf"}]}]}, "cveMetadata": {"assignerOrgId": "63703b7d-23e2-41ef-94b3-a3c6333f7759", "assignerShortName": "Eaton", "cveId": "CVE-2021-23287", "datePublished": "2022-04-01T22:17:33.721749Z", "dateReserved": "2021-01-08T00:00:00", "dateUpdated": "2024-09-16T20:59:12.709Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eaton:intelligent_power_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "37838180-A13F-4128-A20C-236BDCEAA113", "versionEndExcluding": "1.70", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The vulnerability exists due to insufficient validation of input of certain resources within the IPM software. This issue affects: Intelligent Power Manager (IPM 1) versions prior to 1.70."}, {"lang": "es", "value": "La vulnerabilidad se presenta debido a que no es comprobado suficientemente la entrada de determinados recursos en el software IPM. Este problema afecta a: Intelligent Power Manager (IPM 1) versiones anteriores a 1.70"}], "id": "CVE-2021-23287", "lastModified": "2024-11-21T05:51:30.283", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.4, "impactScore": 5.2, "source": "CybersecurityCOE@eaton.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-04-01T23:15:08.940", "references": [{"source": "CybersecurityCOE@eaton.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Manager-Vulnerability-Advisory_1002a_V1.0.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/Eaton-Intelligent-Power-Manager-Vulnerability-Advisory_1002a_V1.0.pdf"}], "sourceIdentifier": "CybersecurityCOE@eaton.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "CybersecurityCOE@eaton.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}