CVE-2021-36717 - Vulnerability Details - OpenCVE

Description

Synerion TimeNet version 9.21 contains a directory traversal vulnerability where, on the "Name" parameter, the attacker can return to the root directory and open the host file. This might give the attacker the ability to view restricted files, which could provide the attacker with more information required to further compromise the system.

Published: 2021-09-07

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Synerion

TimeNet version

affected

Version	Status	Constraints
`TimeNet 9.21`	affected	—

Configuration 1 [-]

cpe:2.3:a:synerion:timenet:9.21:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

Vendor Solution

Update to TimeNet version 10.2.1

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2021-23310	Synerion TimeNet version 9.21 contains a directory traversal vulnerability where, on the "Name" parameter, the attacker can return to the root directory and open the host file. This might give the attacker the ability to view restricted files, which could provide the attacker with more information required to further compromise the system.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.0025.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.gov.il/en/departments/faq/cve_advisories

History

No history.

Subscriptions

Synerion Timenet

MITRE

Status: PUBLISHED

Assigner: INCD

Published: 2021-09-07T11:36:33.000Z

Updated: 2024-08-04T01:01:59.243Z

Reserved: 2021-07-12T00:00:00.000Z

Link: CVE-2021-36717

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-09-07T12:15:07.620

Modified: 2024-11-21T06:13:58.143

Link: CVE-2021-36717

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-22

{"containers": {"cna": {"affected": [{"product": "TimeNet version", "vendor": "Synerion", "versions": [{"status": "affected", "version": "TimeNet 9.21"}]}], "descriptions": [{"lang": "en", "value": "Synerion TimeNet version 9.21 contains a directory traversal vulnerability where, on the \"Name\" parameter, the attacker can return to the root directory and open the host file. This might give the attacker the ability to view restricted files, which could provide the attacker with more information required to further compromise the system."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Directory Traversal", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-09-16T10:42:22.000Z", "orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", "shortName": "INCD"}, "references": [{"name": "INCD CVE Advisories", "tags": ["third-party-advisory", "x_refsource_CERT"], "url": "https://www.gov.il/en/departments/faq/cve_advisories"}], "solutions": [{"lang": "en", "value": "Update to TimeNet version 10.2.1"}], "source": {"advisory": "ILVN-2021-0002", "defect": ["ILVN-2021-0002"], "discovery": "EXTERNAL"}, "title": "Synerion TimeNet version 9.21 - Directory Traversal", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@cyber.gov.il", "ID": "CVE-2021-36717", "STATE": "PUBLIC", "TITLE": "Synerion TimeNet version 9.21 - Directory Traversal"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "TimeNet version", "version": {"version_data": [{"version_name": "TimeNet", "version_value": "9.21"}]}}]}, "vendor_name": "Synerion"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Synerion TimeNet version 9.21 contains a directory traversal vulnerability where, on the \"Name\" parameter, the attacker can return to the root directory and open the host file. This might give the attacker the ability to view restricted files, which could provide the attacker with more information required to further compromise the system."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Directory Traversal"}]}]}, "references": {"reference_data": [{"name": "INCD CVE Advisories", "refsource": "CERT", "url": "https://www.gov.il/en/departments/faq/cve_advisories"}]}, "solution": [{"lang": "en", "value": "Update to TimeNet version 10.2.1"}], "source": {"advisory": "ILVN-2021-0002", "defect": ["ILVN-2021-0002"], "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:01:59.243Z"}, "title": "CVE Program Container", "references": [{"name": "INCD CVE Advisories", "tags": ["third-party-advisory", "x_refsource_CERT", "x_transferred"], "url": "https://www.gov.il/en/departments/faq/cve_advisories"}]}]}, "cveMetadata": {"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", "assignerShortName": "INCD", "cveId": "CVE-2021-36717", "datePublished": "2021-09-07T11:36:33.000Z", "dateReserved": "2021-07-12T00:00:00.000Z", "dateUpdated": "2024-08-04T01:01:59.243Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:synerion:timenet:9.21:*:*:*:*:*:*:*", "matchCriteriaId": "1FC5F459-E02A-4E1F-9FA5-E4FD3B367491", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Synerion TimeNet version 9.21 contains a directory traversal vulnerability where, on the \"Name\" parameter, the attacker can return to the root directory and open the host file. This might give the attacker the ability to view restricted files, which could provide the attacker with more information required to further compromise the system."}, {"lang": "es", "value": "La versi\u00f3n 9.21 de Synerion TimeNet contiene una vulnerabilidad de cruce de directorios en la que, en el par\u00e1metro \"Name\", el atacante puede volver al directorio ra\u00edz y abrir el archivo del host. Esto podr\u00eda dar al atacante la capacidad de ver archivos restringidos, lo que podr\u00eda proporcionar al atacante m\u00e1s informaci\u00f3n necesaria para comprometer a\u00fan m\u00e1s el sistema"}], "id": "CVE-2021-36717", "lastModified": "2024-11-21T06:13:58.143", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "cna@cyber.gov.il", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-07T12:15:07.620", "references": [{"source": "cna@cyber.gov.il", "tags": ["Third Party Advisory"], "url": "https://www.gov.il/en/departments/faq/cve_advisories"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.gov.il/en/departments/faq/cve_advisories"}], "sourceIdentifier": "cna@cyber.gov.il", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}