CVE-2021-38410

Summary

CVE	CVE-2021-38410
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-07-27 21:15:00 UTC
Updated	2022-08-04 02:48:00 UTC
Description	AVEVA Software Platform Common Services (PCS) Portal versions 4.5.2, 4.5.1, 4.5.0, and 4.4.6 are vulnerable to DLL hijacking through an uncontrolled search path element, which may allow an attacker control to one or more locations in the search path.

Risk And Classification

Problem Types: CWE-427

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Aveva	Batch Management	2020	All	All	All
Application	Aveva	Enterprise Data Management	2020	All	All	All
Application	Aveva	Manufacturing Execution System	2020	All	All	All
Application	Aveva	Mobile Operator	2020	All	All	All
Application	Aveva	Platform Common Services	4.4.6	All	All	All
Application	Aveva	Platform Common Services	4.5.0	All	All	All
Application	Aveva	Platform Common Services	4.5.1	All	All	All
Application	Aveva	Platform Common Services	4.5.2	All	All	All
Application	Aveva	System Platform	2020	-	All	All
Application	Aveva	System Platform	2020	r2	All	All
Application	Aveva	System Platform	2020	r2_p01	All	All
Application	Aveva	Work Tasks	2020	-	All	All
Application	Aveva	Work Tasks	2020	update_1	All	All

References

Reference	Source	Link	Tags
www.aveva.com/en/support-and-success/cyber-security-updates	CONFIRM	www.aveva.com
AVEVA PCS Portal \| CISA	CONFIRM	www.cisa.gov
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: Noam Moshe of Claroty discovered and disclosed the vulnerability to the AVEVA Software Security Response Center.

Legacy QID Mappings

590590 AVEVA PCS Portal Uncontrolled Search Path Element Vulnerability (ICSA-21-252-01)