CVE-2021-32981 – AVEVA System Platform Path Traversal
https://notcve.org/view.php?id=CVE-2021-32981
AVEVA System Platform versions 2017 through 2020 R2 P01 uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. AVEVA System Platform versiones 2017 hasta 2020 R2 P01, usa una entrada externa para construir un nombre de ruta que pretende identificar un archivo o directorio que es encontrado debajo de un directorio principal restringido, pero el software no neutraliza apropiadamente los elementos especiales dentro del nombre de ruta que pueden causar que el nombre de ruta sea resuelto a una ubicación que está fuera del directorio restringido • https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-002.pdf https://www.cisa.gov/uscert/ics/advisories/icsa-21-180-05 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2021-32985 – AVEVA System Platform Origin Validation Error
https://notcve.org/view.php?id=CVE-2021-32985
AVEVA System Platform versions 2017 through 2020 R2 P01 does not properly verify that the source of data or communication is valid. AVEVA System Platform versiones 2017 hasta 2020 R2 P01, no comprueba correctamente que la fuente de datos o comunicación sea válida • https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-002.pdf https://www.cisa.gov/uscert/ics/advisories/icsa-21-180-05 • CWE-346: Origin Validation Error •
CVE-2021-33010 – AVEVA System Platform Uncaught Exception
https://notcve.org/view.php?id=CVE-2021-33010
An exception is thrown from a function in AVEVA System Platform versions 2017 through 2020 R2 P01, but it is not caught, which may cause a denial-of-service condition. Se lanza una excepción desde una función en AVEVA System Platform versiones 2017 hasta 2020 R2 P01, pero no es atrapada, lo que puede causar una condición de denegación de servicio • https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-002.pdf https://www.cisa.gov/uscert/ics/advisories/icsa-21-180-05 • CWE-248: Uncaught Exception •
CVE-2021-32977 – AVEVA System Platform Improper Verification of Cryptographic Signature
https://notcve.org/view.php?id=CVE-2021-32977
AVEVA System Platform versions 2017 through 2020 R2 P01 does not verify, or incorrectly verifies, the cryptographic signature for data. AVEVA System Platform versiones 2017 hasta 2020 R2 P01, no verifica, o verifica incorrectamente, la firma criptográfica de los datos • https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-002.pdf https://www.cisa.gov/uscert/ics/advisories/icsa-21-180-05 • CWE-347: Improper Verification of Cryptographic Signature •
CVE-2019-6525
https://notcve.org/view.php?id=CVE-2019-6525
AVEVA Wonderware System Platform 2017 Update 2 and prior uses an ArchestrA network user account for authentication of system processes and inter-node communications. A user with low privileges could make use of an API to obtain the credentials for this account. AVEVA Wonderware System Platform 2017 Actualización 2 y anteriores, usan una cuenta de usuario de red ArchestrA para la autenticación de los procesos del sistema y las comunicaciones entre nodos. Un usuario con pocos privilegios podría hacer uso de una API para obtener las credenciales de esta cuenta. • https://ics-cert.us-cert.gov/advisories/ICSA-19-029-03 https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec135.pdf • CWE-269: Improper Privilege Management CWE-522: Insufficiently Protected Credentials •