// For flags

CVE-2021-41744

 

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

All versions of yongyou PLM are affected by a command injection issue. UFIDA PLM (Product Life Cycle Management) is a strategic management method. It applies a series of enterprise application systems to support the entire process from conceptual design to the end of product life, and the collaborative creation, distribution, application and management of product information across organizations. Yonyou PLM uses jboss by default, and you can access the management control background without authorization An attacker can use this vulnerability to gain server permissions.

Todas las versiones de yongyou PLM están afectadas por un problema de inyección de comandos. UFIDA PLM (Product Life Cycle Management) es un método de administración estratégica. Aplica una serie de sistemas de aplicaciones empresariales para apoyar todo el proceso, desde el diseño conceptual hasta el final de la vida del producto, y la creación, distribución, aplicación y administración de la información del producto en colaboración con todas las organizaciones. Yonyou PLM usa jboss por defecto, y puede acceder al fondo de control de administración sin autorización. Un atacante puede usar esta vulnerabilidad para conseguir permisos de servidor

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-09-27 CVE Reserved
  • 2021-10-22 CVE Published
  • 2024-08-04 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CAPEC
References (1)
URL Tag Source
https://www.cnvd.org.cn/flaw/show/CNVD-2021-39097 Third Party Advisory
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Yonyou
Search vendor "Yonyou"
 Ufida Product Lifecycle Management
Search vendor "Yonyou" for product "Ufida Product Lifecycle Management"
--
Affected