SB2022010611 - Multiple vulnerabilities in Siemens SiPass integrated

Security Bulletin ID SB2022010611

Severity

Medium

Patch available

YES

Number of vulnerabilities 3

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Exposure of Resource to Wrong Sphere (CVE-ID: CVE-2021-44522)

The vulnerability allows a remote attacker to compromise the system.

The vulnerability exists due to the affected applications insufficiently limit the access to the internal message broker system. A remote attacker can subscribe to arbitrary message queues.

2) Exposure of Resource to Wrong Sphere (CVE-ID: CVE-2021-44523)

The vulnerability allows a remote attacker to compromise the system.

The vulnerability exists due to the affected applications insufficiently limit the access to the internal activity feed database. A remote attacker can read, modify or delete activity feed entries.

3) Exposure of Resource to Wrong Sphere (CVE-ID: CVE-2021-44524)

The vulnerability allows a remote attacker to compromise the system.

The vulnerability exists due to the affected applications insufficiently limit the access to the internal user authentication service. A remote attacker can trigger several actions on behalf of valid user.

Remediation

Install update from vendor's website.

References

https://cert-portal.siemens.com/productcert/pdf/ssa-160202.pdf

SB2022010611 - Multiple vulnerabilities in Siemens SiPass integrated

Breakdown by Severity

Description

Remediation

References

Please verify you're human