Exposure of Cleartext Credentials in AVEVA InTouch Runtime by Authorized Users
CVE-2021-32942

6.6MEDIUM

Key Information:

Vendor: Aveva
Status: Intouch
Vendor: CVE Published:; 9 June 2021

What is CVE-2021-32942?

This vulnerability allows an authorized, privileged user of AVEVA InTouch Runtime to potentially expose sensitive cleartext credentials. The risk arises when a diagnostic memory dump is created and saved to a non-protected location, leading to unauthorized access to sensitive information. It is crucial for users and organizations to ensure that sensitive credential storage and memory dumps are adequately protected to mitigate this risk.

Affected Version(s)

InTouch <= 2020 R2

References

https://us-cert.cisa.gov/ics/advisories/icsa-21-159-03

x_refsource_MISC

https://www.aveva.com/en/support/cyber-security-updates/

x_refsource_MISC

CVSS V3.1

Score:

6.6

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2021
Vulnerability Reserved
May 13, 2021

Credit

Ilya Karpov, Evgeniy Druzhinin, and Konstantin Kondratev of Rostelecom-Solar reported this vulnerability to AVEVA.

Aveva

What is CVE-2021-32942?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit