CVE-2021-35528 HIGH

Published: 2021-11-17 | Last Modified: 2024-11-21 | Status: Modified

Description

Improper Access Control vulnerability in the application authentication and authorization of Hitachi Energy Retail Operations, Counterparty Settlement and Billing (CSB) allows an attacker to execute a modified signed Java Applet JAR file. A successful exploitation may lead to data extraction or modification of data inside the application. This issue affects: Hitachi Energy Retail Operations 5.7.3 and prior versions. Hitachi Energy Counterparty Settlement and Billing (CSB) 5.7.3 prior versions.

Additional Descriptions (1)

Una vulnerabilidad de control de acceso inapropiado en la autenticación y autorización de la aplicación de Hitachi Energy Retail Operations, Counterparty Settlement and Billing (CSB) permite a un atacante ejecutar un archivo JAR Java Applet firmado modificado. Una explotación con éxito puede conllevar a una extracción de datos o la modificación de datos dentro de la aplicación. Este problema afecta a: Hitachi Energy Retail Operations versiones 5.7.3 y anteriores. Hitachi Energy Counterparty Settlement and Billing (CSB) versiones 5.7.3 y anteriores

CVSS Metrics

Base Score: 7.1 (HIGH)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector	LOCAL
Attack Complexity	LOW
Privileges Required	LOW
User Interaction	NONE
Scope	UNCHANGED
Confidentiality Impact	HIGH
Integrity Impact	HIGH
Availability Impact	NONE

Source: [email protected]

Type: Primary

Exploitability Score: 1.8

Impact Score: 5.2

Base Score: 3.6 (LOW)

AV:L/AC:L/Au:N/C:P/I:P/A:N

Access Vector	LOCAL
Access Complexity	LOW
Authentication	NONE
Confidentiality Impact	PARTIAL
Integrity Impact	PARTIAL
Availability Impact	NONE

Source: [email protected]

Type: Primary

Exploitability Score: 3.9

Impact Score: 4.9

Weaknesses

Source	Type	Description
[email protected]	Secondary	en CWE-284
[email protected]	Primary	en NVD-CWE-Other

Affected Products

Vendor	Product	Version	Update	Type
hitachienergy	counterparty_settlements_and_billing	*	<built-in method update of dict object at 0x72a9cc67b3c0>	Application
hitachienergy	retail_operations	*	<built-in method update of dict object at 0x72a9cc660a00>	Application

Affected Configurations

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:a:hitachienergy:counterparty_settlements_and_billing::::::::`
Yes	`cpe:2.3:a:hitachienergy:retail_operations::::::::`

References

https://search.abb.com/library/Download.aspx?DocumentID=8DBD000067&LanguageCode=en&DocumentPartId=&Action=Launch
Source: [email protected]

Vendor Advisory
https://search.abb.com/library/Download.aspx?DocumentID=8DBD000068&LanguageCode=en&DocumentPartId=&Action=Launch
Source: [email protected]

Vendor Advisory
https://search.abb.com/library/Download.aspx?DocumentID=8DBD000067&LanguageCode=en&DocumentPartId=&Action=Launch
Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory
https://search.abb.com/library/Download.aspx?DocumentID=8DBD000068&LanguageCode=en&DocumentPartId=&Action=Launch
Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory