CRITICAL🇵🇱 Wersja polska

CVE-2021-42796

CVSS 9.8v3.1pub. 2023-12-16upd. 2024-11-21

An issue was discovered in ExecuteCommand() in AVEVA Edge (formerly InduSoft Web Studio) versions R2020 and prior that allows unauthenticated arbitrary commands to be executed.

🤖 AI Analysis
How it works

The command injection vulnerability is located in the ExecuteCommand() function of AVEVA Edge software. An attacker can remotely, without needing any credentials, submit properly crafted input data that is passed to this function without proper validation or sanitization. As a result, malicious commands are executed directly in the context of the operating system on which the application runs.

Impact

An attacker can gain full control over the target system — read or modify data, install malicious software, and cause service unavailability. In industrial environments (ICS/SCADA), the effects may include disruption of operational processes.

Mitigation & patch

Apply patches available from the manufacturer according to references (CISA ICS-CERT advisory: ICSA-22-326-01 and AVEVA manufacturer information). It is recommended to immediately update to a version newer than R2020 and restrict network access to AVEVA Edge systems according to the principle of least privilege.

Who is affected

AVEVA Edge (formerly InduSoft Web Studio) in versions R2020 and earlier.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Aveva Edge

    APP
    Aveva
    2020< 2020
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Command Injection
CWE
References

Related vulnerabilities

CVE-2018-17914CRITICAL9.8ten sam produkt

InduSoft Web Studio versions prior to 8.1 SP2, and InTouch Edge HMI (formerly InTouch Machine Edition) version...

CVE-2018-17916CRITICAL9.8ten sam produkt

InduSoft Web Studio versions prior to 8.1 SP2, and InTouch Edge HMI (formerly InTouch Machine Edition) version...

CVE-2021-42797HIGH7.5ten sam produkt

Path traversal vulnerability in AVEVA Edge (formerly InduSoft Web Studio) versions R2020 and prior allows an u...

CVE-2023-33873HIGH7.8ten sam produkt

This privilege escalation vulnerability, if exploited, cloud allow a local OS-authenticated user with standar...

CVE-2021-42794MEDIUM5.3ten sam produkt

An issue was discovered in AVEVA Edge (formerly InduSoft Web Studio) versions R2020 and prior. The application...