CVE-2021-37200
https://notcve.org/view.php?id=CVE-2021-37200
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP1). An attacker with access to the webserver of an affected system could download arbitrary files from the underlying filesystem by sending a specially crafted HTTP request. Se ha identificado una vulnerabilidad en SINEC NMS (Todas las versiones anteriores a V1.0 SP1). Un atacante con acceso al servidor web de un sistema afectado podría descargar archivos arbitrarios del sistema de archivos subyacente mediante el envío de una petición HTTP especialmente diseñada • https://cert-portal.siemens.com/productcert/pdf/ssa-330339.pdf • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2021-33721
https://notcve.org/view.php?id=CVE-2021-33721
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2). The affected application incorrectly neutralizes special elements when creating batch operations which could lead to command injection. An authenticated remote attacker with administrative privileges could exploit this vulnerability to execute arbitrary code on the system with system privileges. Se ha identificado una vulnerabilidad en SINEC NMS (Todas las versiones anteriores a V1.0 SP2). La aplicación afectada neutraliza incorrectamente los elementos especiales cuando crea operaciones por lotes, lo que podría conllevar a una inyección de comandos. • https://cert-portal.siemens.com/productcert/pdf/ssa-756744.pdf • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2021-22876 – curl: Leak of authentication credentials in URL via automatic Referer
https://notcve.org/view.php?id=CVE-2021-22876
curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. curl versiones 7.1.1 hasta 7.75.0 incluyéndola, es vulnerable a una "Exposure of Private Personal Information to an Unauthorized Actor" al filtrar credenciales en el encabezado HTTP Referer:. libcurl no elimina las credenciales de usuario de la URL cuando completa automáticamente el campo de encabezado de petición HTTP Referer: en peticiones HTTP salientes y, por lo tanto, corre el riesgo de filtrar datos confidenciales al servidor que es el objetivo de la segunda petición HTTP. It was discovered that libcurl did not remove authentication credentials from URLs when automatically populating the Referer HTTP request header while handling HTTP redirects. This could lead to exposure of the credentials to the server to which requests were redirected. • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://curl.se/docs/CVE-2021-22876.html https://hackerone.com/reports/1101882 https://lists.debian.org/debian-lts-announce/2021/05/msg00019.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ZC5BMIOKLBQJSFCHEDN2G2C2SH274BP https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITVWPVGLFISU5BJC2BXBRYSDXTXE2YGC https://lists.fedoraproject.org/archives/list/package-announce%40 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVE-2021-22890 – curl: TLS 1.3 session ticket mix-up with HTTPS proxy host
https://notcve.org/view.php?id=CVE-2021-22890
curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check. curl versiones 7.63.0 hasta 7.75.0 incluyéndola, incluye una vulnerabilidad que permite que un proxy HTTPS malicioso acceda a una conexión MITM debido al manejo inapropiado de los tickets de sesión de TLS versión 1.3. Cuando se usa un proxy HTTPS y TLS 1.3, libcurl puede confundir los tickets de sesión que llegan del proxy HTTPS pero funciona como si llegaran del servidor remoto y luego "short-cut" incorrectamente el protocolo de enlace del host. • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://curl.se/docs/CVE-2021-22890.html https://hackerone.com/reports/1129529 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ZC5BMIOKLBQJSFCHEDN2G2C2SH274BP https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITVWPVGLFISU5BJC2BXBRYSDXTXE2YGC https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KQUIOYX2KUU6FIUZVB5WWZ6JHSSYSQWJ https://security.gen • CWE-290: Authentication Bypass by Spoofing CWE-300: Channel Accessible by Non-Endpoint •
CVE-2020-25237 – Siemens SINEC NMS FirmwareFileUtils extractToFolder Directory Traversal Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-25237
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP1 Update 1), SINEMA Server (All versions < V14.0 SP2 Update 2). When uploading files to an affected system using a zip container, the system does not correctly check if the relative file path of the extracted files is still within the intended target directory. With this an attacker could create or overwrite arbitrary files on an affected system. This type of vulnerability is also known as 'Zip-Slip'. (ZDI-CAN-12054) Se ha identificado una vulnerabilidad en SINEC NMS (Todas las versiones anteriores a V1.0 SP1 Update 1), SINEMA Server (Todas las versiones anteriores a V14.0 SP2 Update 2). • https://cert-portal.siemens.com/productcert/pdf/ssa-156833.pdf https://us-cert.cisa.gov/ics/advisories/icsa-21-040-03 https://www.zerodayinitiative.com/advisories/ZDI-21-253 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •