Multiple vulnerabilities in Siemens SiPass integrated
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2021-44522 CVE-2021-44523 CVE-2021-44524 |
| CWE-ID | N/A |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
SiPass integrated Other software / Other software solutions |
| Vendor | Siemens |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Exposure of Resource to Wrong Sphere
EUVDB-ID: #VU59239
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-44522
CWE-ID: N/A
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the system.
The vulnerability exists due to the affected applications insufficiently limit the access to the internal message broker system. A remote attacker can subscribe to arbitrary message queues.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSiPass integrated: 2.76 - 2.85
External linkshttp://cert-portal.siemens.com/productcert/pdf/ssa-160202.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Exposure of Resource to Wrong Sphere
EUVDB-ID: #VU59243
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-44523
CWE-ID: N/A
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the system.
The vulnerability exists due to the affected applications insufficiently limit the access to the internal activity feed database. A remote attacker can read, modify or delete activity feed entries.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSiPass integrated: 2.76 - 2.85
External linkshttp://cert-portal.siemens.com/productcert/pdf/ssa-160202.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Exposure of Resource to Wrong Sphere
EUVDB-ID: #VU59244
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-44524
CWE-ID: N/A
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the system.
The vulnerability exists due to the affected applications insufficiently limit the access to the internal user authentication service. A remote attacker can trigger several actions on behalf of valid user.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSiPass integrated: 2.76 - 2.85
External linkshttp://cert-portal.siemens.com/productcert/pdf/ssa-160202.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
