{
"document": {
"acknowledgments": [
{
"names": [
"Michael Heinzl"
],
"summary": "reporting these vulnerabilities to CISA"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
"title": "CISA Disclaimer"
},
{
"category": "summary",
"text": "Michael Heinzl reported these vulnerabilities to CISA.",
"title": "Summary"
},
{
"category": "other",
"text": "No known public exploits specifically target these vulnerabilities.",
"title": "Exploitability"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "CISAservicedesk@cisa.dhs.gov",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSA-21-217-03 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2021/icsa-21-217-03.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-21-217-03 Web Version",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-21-217-03"
}
],
"title": "ICSA-21-217-03_mySCADA myPRO",
"tracking": {
"current_release_date": "2021-08-05T00:00:00.000000Z",
"generator": {
"engine": {
"name": "CISA USCert CSAF Generator",
"version": "1"
}
},
"id": "ICSA-21-217-03",
"initial_release_date": "2021-08-05T00:00:00.000000Z",
"revision_history": [
{
"date": "2021-08-05T00:00:00.000000Z",
"legacy_version": "Initial",
"number": "1",
"summary": "ICSA-21-217-03 mySCADA myPRO"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "< 8.20.0",
"product": {
"name": "myPRO: All versions prior to 8.20.0",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "myPRO"
}
],
"category": "vendor",
"name": "mySCADA"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-33013",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"notes": [
{
"category": "summary",
"text": "The affected product does not restrict unauthorized read access to sensitive system information.CVE-2021-33013 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
}
],
"remediations": [
{
"category": "mitigation",
"details": "mySCADA recommends users apply update v8.20.0 or later.",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://www.myscada.org/version-8-20-0-released-security-update"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-33013"
},
{
"cve": "CVE-2021-33009",
"cwe": {
"id": "CWE-434",
"name": "Unrestricted Upload of File with Dangerous Type"
},
"notes": [
{
"category": "summary",
"text": "The affected product allows an unauthenticated remote attacker to upload arbitrary files to the file system.CVE-2021-33009 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
}
],
"remediations": [
{
"category": "mitigation",
"details": "mySCADA recommends users apply update v8.20.0 or later.",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://www.myscada.org/version-8-20-0-released-security-update"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-33009"
},
{
"cve": "CVE-2021-33005",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
},
"notes": [
{
"category": "summary",
"text": "The affected product allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories.CVE-2021-33005 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
}
],
"remediations": [
{
"category": "mitigation",
"details": "mySCADA recommends users apply update v8.20.0 or later.",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://www.myscada.org/version-8-20-0-released-security-update"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-33005"
},
{
"cve": "CVE-2021-27505",
"cwe": {
"id": "CWE-548",
"name": "Exposure of Information Through Directory Listing"
},
"notes": [
{
"category": "summary",
"text": "The affected product does not restrict unauthorized read access to sensitive directory listing information.CVE-2021-27505 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"remediations": [
{
"category": "mitigation",
"details": "mySCADA recommends users apply update v8.20.0 or later.",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://www.myscada.org/version-8-20-0-released-security-update"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
],
"title": "CVE-2021-27505"
}
]
}