Risk | Low |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2021-38410 |
CWE-ID | CWE-427 |
Exploitation vector | Local |
Public exploit | N/A |
Vulnerable software Subscribe |
Platform Common Services (PCS) Portal Server applications / Other server solutions AVEVA Batch Management Server applications / Other server solutions AVEVA Work Tasks Server applications / Other server solutions AVEVA Mobile Operator Server applications / Other server solutions AVEVA Manufacturing Execution System Server applications / Other server solutions AVEVA Enterprise Data Management Server applications / Other server solutions AVEVA System Platform Server applications / SCADA systems |
Vendor | AVEVA Software, LLC. |
Security Bulletin
This security bulletin contains one low risk vulnerability.
EUVDB-ID: #VU56440
Risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38410
CWE-ID:
CWE-427 - Uncontrolled Search Path Element
Exploit availability: No
DescriptionThe vulnerability allows a local user to compromise vulnerable system.
The vulnerability exists due to the application loads DLL libraries in an insecure manner. A local user can control one or more locations in the search path.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPlatform Common Services (PCS) Portal: 4.4.6 - 4.5.2
AVEVA System Platform: 2020 - 2020 R2 P01
AVEVA Batch Management: 2020
AVEVA Work Tasks: 2020 Update 1
AVEVA Mobile Operator: 2020
AVEVA Manufacturing Execution System: 2020
AVEVA Enterprise Data Management: 2021
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-21-252-01
http://www.aveva.com/en/support-and-success/cyber-security-updates/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.