CVE-2021-38443
Eclipse CycloneDDS Improper Handling of Syntactically Invalid Structure
Severity Score
9.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Eclipse CycloneDDS versions prior to 0.8.0 improperly handle invalid structures, which may allow an attacker to write arbitrary values in the XML parser.
Eclipse CycloneDDS versiones anteriores a 0.8.0, manejan inapropiadamente las estructuras no válidas, lo que puede permitir a un atacante escribir valores arbitrarios en el analizador XML
*Credits:
Federico Maggi (Trend Micro Research), Ta-Lun Yen, and Chizuru Toyama (TXOne Networks, Trend Micro) reported these vulnerabilities to CISA. In addition, Patrick Kuo, Mars Cheng (TXOne Networks, Trend Micro), Víctor Mayoral-Vilches (Alias Robotics), and Erik Boasson (ADLINK Technology) also contributed to this research.
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2021-08-10 CVE Reserved
- 2022-05-05 CVE Published
- 2023-11-26 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-228: Improper Handling of Syntactically Invalid Structure
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://projects.eclipse.org/projects/iot.cyclonedds | Product | |
| https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Eclipse Search vendor "Eclipse" | Cyclonedds Search vendor "Eclipse" for product "Cyclonedds" | < 0.8.0 Search vendor "Eclipse" for product "Cyclonedds" and version " < 0.8.0" | - |
Affected
| ||||||