Authorization bypass through user-controlled key in Teamcenter

#VU56676 Authorization bypass through user-controlled key in Teamcenter

Published: 2021-09-17

Vulnerability identifier: #VU56676

Vulnerability risk: Low

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-40355

CWE-ID: CWE-639

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Teamcenter
Other software / Other software solutions

Vendor: Siemens

Description

The vulnerability allows a remote user to compromise the target system.

The vulnerability exist due to the affected application contains Insecure Direct Object Reference (IDOR) issue. A remote administrator can use a specially crafted input and access objects directly.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Teamcenter: 12.4 - 13.2

External links
http://cert-portal.siemens.com/productcert/pdf/ssa-987403.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Siemens Teamcenter