CVE-2021-27434 - Vulnerability Details - OpenCVE

Products with Unified Automation .NET based OPC UA Client/Server SDK Bundle: Versions V3.0.7 and prior (.NET 4.5, 4.0, and 3.5 Framework versions only) are vulnerable to an uncontrolled recursion, which may allow an attacker to trigger a stack overflow.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00216.

Key SSVC decision points have not yet been added.

Vendors	Products
Microsoft	.net Framework
Unified-automation	.net Based Opc Ua Client\/server Sdk

Configuration 1 [-]

AND

cpe:2.3:a:unified-automation:.net_based_opc_ua_client\/server_sdk:*:*:*:*:*:*:*:*

OR	cpe:2.3:a:microsoft:.net_framework:3.5:::::::*
	cpe:2.3:a:microsoft:.net_framework:4.0:::::::*
	cpe:2.3:a:microsoft:.net_framework:4.5:::::::*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2021-14188	Products with Unified Automation .NET based OPC UA Client/Server SDK Bundle: Versions V3.0.7 and prior (.NET 4.5, 4.0, and 3.5 Framework versions only) are vulnerable to an uncontrolled recursion, which may allow an attacker to trigger a stack overflow.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://us-cert.cisa.gov/ics/advisories/icsa-21-133-04

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2021-05-20T13:42:54

Updated: 2024-08-03T20:48:17.296Z

Reserved: 2021-02-19T00:00:00

Link: CVE-2021-27434

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-05-20T14:15:07.767

Modified: 2024-11-21T05:57:58.987

Link: CVE-2021-27434

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "OPC UA Products Built with the .NET Framework 4.5, 4.0, and 3.5", "vendor": "n/a", "versions": [{"status": "affected", "version": "Unified Automation .NET based OPC UA Client/Server SDK Bundle: Versions V3.0.7 and prior (.NET 4.5, 4.0, and 3.5 Framework versions only)"}]}], "descriptions": [{"lang": "en", "value": "Products with Unified Automation .NET based OPC UA Client/Server SDK Bundle: Versions V3.0.7 and prior (.NET 4.5, 4.0, and 3.5 Framework versions only) are vulnerable to an uncontrolled recursion, which may allow an attacker to trigger a stack overflow."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-20T13:42:54", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-133-04"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2021-27434", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "OPC UA Products Built with the .NET Framework 4.5, 4.0, and 3.5", "version": {"version_data": [{"version_value": "Unified Automation .NET based OPC UA Client/Server SDK Bundle: Versions V3.0.7 and prior (.NET 4.5, 4.0, and 3.5 Framework versions only)"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Products with Unified Automation .NET based OPC UA Client/Server SDK Bundle: Versions V3.0.7 and prior (.NET 4.5, 4.0, and 3.5 Framework versions only) are vulnerable to an uncontrolled recursion, which may allow an attacker to trigger a stack overflow."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200"}]}]}, "references": {"reference_data": [{"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-133-04", "refsource": "MISC", "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-133-04"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:48:17.296Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-133-04"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2021-27434", "datePublished": "2021-05-20T13:42:54", "dateReserved": "2021-02-19T00:00:00", "dateUpdated": "2024-08-03T20:48:17.296Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:unified-automation:.net_based_opc_ua_client\\/server_sdk:*:*:*:*:*:*:*:*", "matchCriteriaId": "72FFADD0-F648-492C-9A45-1456EEDAAD06", "versionEndIncluding": "3.0.7", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:.net_framework:3.5:*:*:*:*:*:*:*", "matchCriteriaId": "E039CE1F-B988-4741-AE2E-5B36E2AF9688", "vulnerable": false}, {"criteria": "cpe:2.3:a:microsoft:.net_framework:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "792B417F-96A0-4E9D-9E79-5D7F982E2225", "vulnerable": false}, {"criteria": "cpe:2.3:a:microsoft:.net_framework:4.5:*:*:*:*:*:*:*", "matchCriteriaId": "61FAD9EE-FA7F-4B39-8A9B-AFFAEC8BF214", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Products with Unified Automation .NET based OPC UA Client/Server SDK Bundle: Versions V3.0.7 and prior (.NET 4.5, 4.0, and 3.5 Framework versions only) are vulnerable to an uncontrolled recursion, which may allow an attacker to trigger a stack overflow."}, {"lang": "es", "value": "Productos con el programa Unified Automation .NET based OPC UA Client/Server SDK Bundle: Versiones V3.0.7 y anteriores (solo versiones de .NET 4.5, 4.0 y 3.5 Framework) son vulnerables a una recursividad no controlada, que puede permitir a un atacante desencadenar un desbordamiento de pila"}], "id": "CVE-2021-27434", "lastModified": "2024-11-21T05:57:58.987", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-20T14:15:07.767", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-133-04"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-133-04"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-674"}], "source": "nvd@nist.gov", "type": "Primary"}]}