CVE-2021-31891

A vulnerability has been identified in Desigo CC (All versions with OIS Extension Module), GMA-Manager (All versions with OIS running on Debian 9 or earlier), Operation Scheduler (All versions with OIS running on Debian 9 or earlier), Siveillance Control (All versions with OIS running on Debian 9 or earlier), Siveillance Control Pro (All versions). The affected application incorrectly neutralizes special elements in a specific HTTP GET request which could lead to command injection. An unauthenticated remote attacker could exploit this vulnerability to execute arbitrary code on the system with root privileges.

Published: Sep 14, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-31891
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 10
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 10
AV:N/AC:L/Au:N/C:C/I:C/A:C

CWEs:

CWE-78

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
siemens / desigo_cc	-	-
siemens / siveillance_control_pro	-	-
siemens / gma-manager	-	-
siemens / operation_scheduler	-	-
siemens / siveillance_control	-	-

https://cert-portal.siemens.com/productcert/pdf/ssa-535380.pdf

Vulnerability Database

289,599

CVE-2021-31891