CVE-2021-31891

Severity Score

*CVSS v3.1

Exploit Likelihood

4.6%

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability has been identified in Desigo CC (All versions with OIS Extension Module), GMA-Manager (All versions with OIS running on Debian 9 or earlier), Operation Scheduler (All versions with OIS running on Debian 9 or earlier), Siveillance Control (All versions with OIS running on Debian 9 or earlier), Siveillance Control Pro (All versions). The affected application incorrectly neutralizes special elements in a specific HTTP GET request which could lead to command injection. An unauthenticated remote attacker could exploit this vulnerability to execute arbitrary code on the system with root privileges.

Se ha identificado una vulnerabilidad en Desigo CC (Todas las versiones con módulo de extensión OIS), GMA-Manager (Todas las versiones con OIS que se ejecutan en Debian 9 o anterior), Operation Scheduler (Todas las versiones con OIS que se ejecutan en Debian 9 o anterior), Siveillance Control (Todas las versiones con OIS que se ejecutan en Debian 9 o anterior), Siveillance Control Pro (Todas las versiones). La aplicación afectada neutraliza incorrectamente elementos especiales en una petición HTTP GET específica que podría conllevar a una inyección de comandos. Un atacante remoto no autenticado podría aprovechar esta vulnerabilidad para ejecutar código arbitrario en el sistema con privilegios de root

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-04-29 CVE Reserved
2021-09-14 CVE Published
2024-08-03 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://cert-portal.siemens.com/productcert/pdf/ssa-535380...	2021-09-28

1 - 1 of 1

URL	Date	SRC

Affected Vendors, Products, and Versions (5)

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Siemens Search vendor "Siemens"	Gma-manager Search vendor "Siemens" for product "Gma-manager"	*	-	Affected	in	Debian Search vendor "Debian"	Debian Linux Search vendor "Debian" for product "Debian Linux"	<= 9.0 Search vendor "Debian" for product "Debian Linux" and version " <= 9.0"	-	Safe
Siemens Search vendor "Siemens"	Operation Scheduler Search vendor "Siemens" for product "Operation Scheduler"	*	-	Affected	in	Debian Search vendor "Debian"	Debian Linux Search vendor "Debian" for product "Debian Linux"	<= 9.0 Search vendor "Debian" for product "Debian Linux" and version " <= 9.0"	-	Safe
Siemens Search vendor "Siemens"	Siveillance Control Search vendor "Siemens" for product "Siveillance Control"	*	-	Affected	in	Debian Search vendor "Debian"	Debian Linux Search vendor "Debian" for product "Debian Linux"	<= 9.0 Search vendor "Debian" for product "Debian Linux" and version " <= 9.0"	-	Safe
Vendor		Product				Version		Other		Status
Siemens Search vendor "Siemens"		Desigo Cc Search vendor "Siemens" for product "Desigo Cc"				*		-		Affected
Siemens Search vendor "Siemens"		Siveillance Control Pro Search vendor "Siemens" for product "Siveillance Control Pro"				*		-		Affected

1 - 5 of 5