CVE-2021-32953 - OpenCVE

An attacker could utilize SQL commands to create a new user MDT AutoSave versions prior to v6.02.06 and update the user’s permissions, granting the attacker the ability to login.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Auvesy-mdt	Autosave Autosave For System Platform

Configuration 1 [-]

OR	cpe:2.3:a:auvesy-mdt:autosave::::::::
	cpe:2.3:a:auvesy-mdt:autosave::::::::
	cpe:2.3:a:auvesy-mdt:autosave_for_system_platform::::::::
	cpe:2.3:a:auvesy-mdt:autosave_for_system_platform:5.00:::::::*

No data.

References

Link	Providers
https://www.cisa.gov/uscert/ics/advisories/icsa-21-189-02

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2022-04-01T22:17:05

Updated: 2024-08-03T23:33:56.023Z

Reserved: 2021-05-13T00:00:00

Link: CVE-2021-32953

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-04-01T23:15:09.703

Modified: 2022-04-11T14:22:22.397

Link: CVE-2021-32953

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "MDT AutoSave", "vendor": "MDT Software", "versions": [{"lessThan": "6.02.06", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "MDT AutoSave", "vendor": "MDT Software", "versions": [{"lessThan": "7.04", "status": "affected", "version": "7.00", "versionType": "custom"}]}, {"product": "AutoSave for System Platform (A4SP)", "vendor": "MDT Software", "versions": [{"lessThan": "4.01", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "A4SP", "vendor": "MDT Software", "versions": [{"status": "affected", "version": "5.00"}]}], "credits": [{"lang": "en", "value": "Amir Preminger of Claroty Research reported these vulnerabilities to MDT Software."}], "descriptions": [{"lang": "en", "value": "An attacker could utilize SQL commands to create a new user MDT AutoSave versions prior to v6.02.06 and update the user\u2019s permissions, granting the attacker the ability to login."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89: SQL Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-01T22:17:05", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-189-02"}], "solutions": [{"lang": "en", "value": "Updated versions of MDT AutoSave and AutoSave for System Platform (A4SP) were developed to address these vulnerabilities as follows:\nMDT AutoSave 6.x version: Version 6.02.06 (Released January 2021)\nMDT AutoSave 7.x version: Version 7.05 (Released December 2020)\nA4SP 4.x version: Version 4.01 (Released June 2021)\nA4SP 5.x version: Version 5.01 (Released May 2021)\n\nFor more information about these vulnerabilities, and to obtain and install the new versions, please contact MDT Software customer support."}], "source": {"discovery": "EXTERNAL"}, "title": "MDT AutoSave SQL Injection", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2021-32953", "STATE": "PUBLIC", "TITLE": "MDT AutoSave SQL Injection"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MDT AutoSave", "version": {"version_data": [{"version_affected": "<", "version_value": "6.02.06"}]}}, {"product_name": "MDT AutoSave", "version": {"version_data": [{"version_affected": "<", "version_name": "7.00", "version_value": "7.04"}]}}, {"product_name": "AutoSave for System Platform (A4SP)", "version": {"version_data": [{"version_affected": "<", "version_value": "4.01"}]}}, {"product_name": "A4SP", "version": {"version_data": [{"version_affected": "=", "version_value": "5.00"}]}}]}, "vendor_name": "MDT Software"}]}}, "credit": [{"lang": "eng", "value": "Amir Preminger of Claroty Research reported these vulnerabilities to MDT Software."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An attacker could utilize SQL commands to create a new user MDT AutoSave versions prior to v6.02.06 and update the user\u2019s permissions, granting the attacker the ability to login."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89: SQL Injection"}]}]}, "references": {"reference_data": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-189-02", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-189-02"}]}, "solution": [{"lang": "en", "value": "Updated versions of MDT AutoSave and AutoSave for System Platform (A4SP) were developed to address these vulnerabilities as follows:\nMDT AutoSave 6.x version: Version 6.02.06 (Released January 2021)\nMDT AutoSave 7.x version: Version 7.05 (Released December 2020)\nA4SP 4.x version: Version 4.01 (Released June 2021)\nA4SP 5.x version: Version 5.01 (Released May 2021)\n\nFor more information about these vulnerabilities, and to obtain and install the new versions, please contact MDT Software customer support."}], "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:33:56.023Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-189-02"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2021-32953", "datePublished": "2022-04-01T22:17:05", "dateReserved": "2021-05-13T00:00:00", "dateUpdated": "2024-08-03T23:33:56.023Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:auvesy-mdt:autosave:*:*:*:*:*:*:*:*", "matchCriteriaId": "8F0612E0-E5EE-45B1-B49C-BD1296B9EACB", "versionEndExcluding": "6.02.06", "vulnerable": true}, {"criteria": "cpe:2.3:a:auvesy-mdt:autosave:*:*:*:*:*:*:*:*", "matchCriteriaId": "8450FA45-0C07-42D5-B817-AC990579D4F6", "versionEndIncluding": "7.04", "versionStartIncluding": "7.00", "vulnerable": true}, {"criteria": "cpe:2.3:a:auvesy-mdt:autosave_for_system_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "DDA02918-09D4-43B6-95E6-3023E3DEE57A", "versionEndExcluding": "4.01", "vulnerable": true}, {"criteria": "cpe:2.3:a:auvesy-mdt:autosave_for_system_platform:5.00:*:*:*:*:*:*:*", "matchCriteriaId": "682D5F51-4153-47C3-961C-6C5B4A124E3D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An attacker could utilize SQL commands to create a new user MDT AutoSave versions prior to v6.02.06 and update the user\u2019s permissions, granting the attacker the ability to login."}, {"lang": "es", "value": "Un atacante podr\u00eda usar comandos SQL para crear un nuevo usuario en MDT AutoSave versiones anteriores a v6.02.06, y actualizar los permisos del usuario, otorgando al atacante la capacidad de iniciar sesi\u00f3n"}], "id": "CVE-2021-32953", "lastModified": "2022-04-11T14:22:22.397", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2022-04-01T23:15:09.703", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-189-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}