CVE-2021-33005 - Vulnerability Details - OpenCVE

mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00334.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Myscada	Mypro

Configuration 1 [-]

cpe:2.3:a:myscada:mypro:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2021-19726	mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories.

Fixes

Solution

mySCADA recommends users apply update v8.20.0 or later.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03
https://www.myscada.org/version-8-20-0-released-security-update

History

Wed, 16 Apr 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2022-05-13T15:18:40.002Z

Updated: 2025-04-16T16:21:55.101Z

Reserved: 2021-05-13T00:00:00.000Z

Link: CVE-2021-33005

Vulnrichment

Updated: 2024-08-03T23:42:19.949Z

NVD

Status : Modified

Published: 2022-05-13T16:15:07.950

Modified: 2024-11-21T06:08:06.603

Link: CVE-2021-33005

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "myPRO", "vendor": "mySCADA", "versions": [{"lessThan": "8.20.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Michael Heinzl reported these vulnerabilities to CISA."}], "datePublic": "2021-08-05T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22: Path Traversal", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-13T15:18:39.000Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.myscada.org/version-8-20-0-released-security-update"}], "solutions": [{"lang": "en", "value": "mySCADA recommends users apply update v8.20.0 or later."}], "source": {"discovery": "EXTERNAL"}, "title": "mySCADA myPRO Path Traversal", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2021-08-05T21:32:00.000Z", "ID": "CVE-2021-33005", "STATE": "PUBLIC", "TITLE": "mySCADA myPRO Path Traversal"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "myPRO", "version": {"version_data": [{"version_affected": "<", "version_value": "8.20.0"}]}}]}, "vendor_name": "mySCADA"}]}}, "credit": [{"lang": "eng", "value": "Michael Heinzl reported these vulnerabilities to CISA."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-22: Path Traversal"}]}]}, "references": {"reference_data": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03", "refsource": "MISC", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03"}, {"name": "https://www.myscada.org/version-8-20-0-released-security-update", "refsource": "CONFIRM", "url": "https://www.myscada.org/version-8-20-0-released-security-update"}]}, "solution": [{"lang": "en", "value": "mySCADA recommends users apply update v8.20.0 or later."}], "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:42:19.949Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.myscada.org/version-8-20-0-released-security-update"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-16T15:56:04.272607Z", "id": "CVE-2021-33005", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T16:21:55.101Z"}}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2021-33005", "datePublished": "2022-05-13T15:18:40.002Z", "dateReserved": "2021-05-13T00:00:00.000Z", "dateUpdated": "2025-04-16T16:21:55.101Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://www.myscada.org/version-8-20-0-released-security-update", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:42:19.949Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-33005", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-16T15:56:04.272607Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T15:56:08.801Z"}}], "cna": {"title": "mySCADA myPRO Path Traversal", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "Michael Heinzl reported these vulnerabilities to CISA."}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "mySCADA", "product": "myPRO", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "8.20.0", "versionType": "custom"}]}], "solutions": [{"lang": "en", "value": "mySCADA recommends users apply update v8.20.0 or later."}], "datePublic": "2021-08-05T00:00:00.000Z", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03", "tags": ["x_refsource_MISC"]}, {"url": "https://www.myscada.org/version-8-20-0-released-security-update", "tags": ["x_refsource_CONFIRM"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Path Traversal"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2022-05-13T15:18:39.000Z"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "Michael Heinzl reported these vulnerabilities to CISA."}], "impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, "source": {"discovery": "EXTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "8.20.0", "version_affected": "<"}]}, "product_name": "myPRO"}]}, "vendor_name": "mySCADA"}]}}, "solution": [{"lang": "en", "value": "mySCADA recommends users apply update v8.20.0 or later."}], "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03", "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03", "refsource": "MISC"}, {"url": "https://www.myscada.org/version-8-20-0-released-security-update", "name": "https://www.myscada.org/version-8-20-0-released-security-update", "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-22: Path Traversal"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-33005", "STATE": "PUBLIC", "TITLE": "mySCADA myPRO Path Traversal", "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2021-08-05T21:32:00.000Z"}}}}, "cveMetadata": {"cveId": "CVE-2021-33005", "state": "PUBLISHED", "dateUpdated": "2025-04-16T16:21:55.101Z", "dateReserved": "2021-05-13T00:00:00.000Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2022-05-13T15:18:40.002Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:myscada:mypro:*:*:*:*:*:*:*:*", "matchCriteriaId": "1DDCAD9A-0464-4431-AC41-88D4A57354BD", "versionEndExcluding": "8.20.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories."}, {"lang": "es", "value": "mySCADA myPRO versiones anteriores a la 8.20.0, permiten a un atacante remoto no autentificado cargar archivos arbitrarios en directorios arbitrarios"}], "id": "CVE-2021-33005", "lastModified": "2024-11-21T06:08:06.603", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-05-13T16:15:07.950", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.myscada.org/version-8-20-0-released-security-update"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.myscada.org/version-8-20-0-released-security-update"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}