CVE-2021-43551

Published on: 11/17/2021 12:00:00 AM UTC

Last Modified on: 12/30/2021 09:15:00 PM UTC

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N

Certain versions of Pi Vision from Osisoft contain the following vulnerability:

A remote attacker with write access to PI Vision could inject code into a display. Unauthorized information disclosure, modification, or deletion is possible if a victim views or interacts with the infected display using Microsoft Internet Explorer. The impact affects PI System data and other data accessible with victim's user permissions.

  • CVE-2021-43551 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as MEDIUM severity.
  • Affected Vendor/Software: URL Logo OSIsoft - PI Vision version <= 2021
Vulnerability Patch/Work Around
  • OSIsoft recommends upgrading to PI vision 2021. Information can be found in the OSIsoft PI Vision security bulletin (registration required). OSIsoft recommends users apply the following workarounds for PI Vision to help reduce risk: Configure Publisher and Explorer roles in PI Vision User Access Levels to restrict which users can create or modify displays. Remove any Limits properties from AF child attributes using PI System Explorer or a bulk editing tool. OSIsoft recommends the following defense measures to lower the impact of exploitation for PI Vision: Use a modern web browser such as Microsoft Edge, Google Chrome, or Mozilla FireFox. Do not use Microsoft Internet Explorer. If upgrade is not an option, administrators should regularly audit the AF hierarchy to ensure there are no unexpected or unknown elements, attributes, or attribute properties. It is recommended security on elements in AF be configured and enforced in addition to configuring PI point security. Potential unauthorized viewing of PI System data due to this issue is limited to permissions granted to the PI Vision Application Pool Identity.  Configure a dedicated identity mapping for PI Vision servers and manage permissions in accordance with a data classification policy. See OSIsoft customer portal knowledge article for additional details and associated security updates (registration required).

CVSS3 Score: 5.4 - MEDIUM

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW LOW REQUIRED
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
CHANGED LOW LOW NONE

CVSS2 Score: 3.5 - LOW

Access
Vector
Access
Complexity
Authentication
NETWORK MEDIUM SINGLE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
NONE PARTIAL NONE

CVE References

Description Tags Link
OSIsoft PI Vision | CISA us-cert.cisa.gov
text/html
URL Logo MISC us-cert.cisa.gov/ics/advisories/icsa-21-313-05

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationOsisoftPi VisionAllAllAllAll
  • cpe:2.3:a:osisoft:pi_vision:*:*:*:*:*:*:*:*:

Social Mentions

Source Title Posted (UTC)
Twitter Icon @CVEreport CVE-2021-43551 : A remote attacker with write access to PI Vision could inject code into a display. Unauthorized in… twitter.com/i/web/status/1… 2021-11-17 19:13:20
Twitter Icon @prophaze CVE-2021-43551 prophaze.com/cve/cve-2021-4… 2021-11-17 23:04:04
© CVE.report 2022 Twitter Nitter Twitter Viewer |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report