Vulnerability Details : CVE-2021-34579
In Phoenix Contact: FL MGUARD DM version 1.12.0 and 1.13.0 access to the Apache web server being installed as part of the FL MGUARD DM on Microsoft Windows does not require login credentials even if configured during installation.Attackers with network access to the Apache web server can download and therefore read mGuard configuration profiles (“ATV profiles”). Such configuration profiles may contain sensitive information, e.g. private keys associated with IPsec VPN connections.
Products affected by CVE-2021-34579
- cpe:2.3:a:phoenixcontact:fl_mguard_dm:1.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:phoenixcontact:fl_mguard_dm:1.13.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-34579
0.13%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 48 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-34579
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
CERT VDE | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2021-34579
-
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.Assigned by: info@cert.vde.com (Secondary)
References for CVE-2021-34579
-
https://cert.vde.com/en/advisories/VDE-2021-035/
VDE-2021-035 | CERT@VDEThird Party Advisory
Jump to