{
  "document": {
    "title": "SSA-163251: Multiple Vulnerabilities in SINEC NMS",
    "category": "Siemens Security Advisory",
    "csaf_version": "2.0",
    "publisher": {
      "name": "Siemens ProductCERT",
      "contact_details": "productcert@siemens.com",
      "category": "vendor",
      "namespace": "https://www.siemens.com"
    },
    "distribution": {
      "text": "Disclosure is not limited.",
      "tlp": {
        "label": "WHITE"
      }
    },
    "tracking": {
      "id": "SSA-163251",
      "status": "final",
      "version": "1",
      "revision_history": [
        {
          "number": "1",
          "legacy_version": "1.0",
          "date": "2021-10-12T00:00:00Z",
          "summary": "Publication Date"
        }
      ],
      "initial_release_date": "2021-10-12T00:00:00Z",
      "current_release_date": "2021-10-12T00:00:00Z",
      "generator": {
        "engine": {
          "name": "Siemens ProductCERT CSAF Generator",
          "version": "1"
        }
      }
    },
    "notes": [
      {
        "title": "Summary",
        "category": "summary",
        "text": "The latest update for SINEC NMS fixes multiple vulnerabilities. The most severe could allow an authenticated remote attacker to execute arbitrary code on the system, with system privileges, under certain conditions.\n\nSiemens has released an update for SINEC NMS and recommends to update to the latest version."
      },
      {
        "title": "General Recommendations",
        "category": "general",
        "text": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity"
      },
      {
        "title": "Additional Resources",
        "category": "general",
        "text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories"
      },
      {
        "title": "Terms of Use",
        "category": "legal_disclaimer",
        "text": "Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter \"License Terms\"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter \"Terms of Use\"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use."
      }
    ],
    "references": [
      {
        "category": "self",
        "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-163251.pdf",
        "summary": "SSA-163251: Multiple Vulnerabilities in SINEC NMS - PDF Version"
      },
      {
        "category": "self",
        "url": "https://cert-portal.siemens.com/productcert/txt/ssa-163251.txt",
        "summary": "SSA-163251: Multiple Vulnerabilities in SINEC NMS - TXT Version"
      },
      {
        "category": "self",
        "url": "https://cert-portal.siemens.com/productcert/csaf/ssa-163251.json",
        "summary": "SSA-163251: Multiple Vulnerabilities in SINEC NMS - CSAF Version"
      }
    ],
    "acknowledgments": [
      {
        "names": [
          "Noam Moshe"
        ],
        "organization": "Claroty",
        "summary": "coordinated disclosure"
      }
    ]
  },
  "product_tree": {
    "branches": [
      {
        "name": "Siemens",
        "category": "vendor",
        "branches": [
          {
            "name": "SINEC NMS",
            "category": "product_name",
            "branches": [
              {
                "name": "< V1.0 SP2 Update 1",
                "category": "product_version_range",
                "product": {
                  "product_id": "1",
                  "name": "SINEC NMS"
                }
              }
            ]
          }
        ]
      }
    ]
  },
  "vulnerabilities": [
    {
      "title": "CVE-2021-33722",
      "notes": [
        {
          "title": "Summary",
          "category": "summary",
          "text": "The affected system has a Path Traversal vulnerability when exporting a firmware container. With this a privileged authenticated attacker could create arbitrary files on an affected system."
        }
      ],
      "cve": "CVE-2021-33722",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
      },
      "product_status": {
        "known_affected": [
          "1"
        ]
      },
      "scores": [
        {
          "cvss_v3": {
            "version": "3.1",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"
          },
          "products": [
            "1"
          ]
        }
      ],
      "remediations": [
        {
          "product_ids": [
            "1"
          ],
          "category": "vendor_fix",
          "details": "Update to V1.0 SP2 Update 1 or later version",
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/"
        },
        {
          "product_ids": [
            "1"
          ],
          "category": "mitigation",
          "details": "Restrict access to the affected systems, especially to port 443/tcp, to trusted IP addresses only"
        }
      ],
      "references": [
        {
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/",
          "summary": "CVE-2021-33722 - SINEC NMS"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-33722.json",
          "summary": "CVE-2021-33722 Mitre 5.0 json"
        }
      ]
    },
    {
      "title": "CVE-2021-33723",
      "notes": [
        {
          "title": "Summary",
          "category": "summary",
          "text": "An authenticated attacker could change the user profile of any user without proper authorization. With this, the attacker could change the password of any user in the affected system."
        }
      ],
      "cve": "CVE-2021-33723",
      "cwe": {
        "id": "CWE-285",
        "name": "Improper Authorization"
      },
      "product_status": {
        "known_affected": [
          "1"
        ]
      },
      "scores": [
        {
          "cvss_v3": {
            "version": "3.1",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"
          },
          "products": [
            "1"
          ]
        }
      ],
      "remediations": [
        {
          "product_ids": [
            "1"
          ],
          "category": "vendor_fix",
          "details": "Update to V1.0 SP2 Update 1 or later version",
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/"
        },
        {
          "product_ids": [
            "1"
          ],
          "category": "mitigation",
          "details": "Restrict access to the affected systems, especially to port 443/tcp, to trusted IP addresses only"
        }
      ],
      "references": [
        {
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/",
          "summary": "CVE-2021-33723 - SINEC NMS"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-33723.json",
          "summary": "CVE-2021-33723 Mitre 5.0 json"
        }
      ]
    },
    {
      "title": "CVE-2021-33724",
      "notes": [
        {
          "title": "Summary",
          "category": "summary",
          "text": "The affected system contains an Arbitrary File Deletion vulnerability that possibly allows to delete an arbitrary file or directory under a user controlled path."
        }
      ],
      "cve": "CVE-2021-33724",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
      },
      "product_status": {
        "known_affected": [
          "1"
        ]
      },
      "scores": [
        {
          "cvss_v3": {
            "version": "3.1",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C"
          },
          "products": [
            "1"
          ]
        }
      ],
      "remediations": [
        {
          "product_ids": [
            "1"
          ],
          "category": "vendor_fix",
          "details": "Update to V1.0 SP2 Update 1 or later version",
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/"
        },
        {
          "product_ids": [
            "1"
          ],
          "category": "mitigation",
          "details": "Restrict access to the affected systems, especially to port 443/tcp, to trusted IP addresses only"
        }
      ],
      "references": [
        {
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/",
          "summary": "CVE-2021-33724 - SINEC NMS"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-33724.json",
          "summary": "CVE-2021-33724 Mitre 5.0 json"
        }
      ]
    },
    {
      "title": "CVE-2021-33725",
      "notes": [
        {
          "title": "Summary",
          "category": "summary",
          "text": "The affected system allows to delete arbitrary files or directories under a user controlled path and does not correctly check if the relative path is still within the intended target directory."
        }
      ],
      "cve": "CVE-2021-33725",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
      },
      "product_status": {
        "known_affected": [
          "1"
        ]
      },
      "scores": [
        {
          "cvss_v3": {
            "version": "3.1",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C"
          },
          "products": [
            "1"
          ]
        }
      ],
      "remediations": [
        {
          "product_ids": [
            "1"
          ],
          "category": "vendor_fix",
          "details": "Update to V1.0 SP2 Update 1 or later version",
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/"
        },
        {
          "product_ids": [
            "1"
          ],
          "category": "mitigation",
          "details": "Restrict access to the affected systems, especially to port 443/tcp, to trusted IP addresses only"
        }
      ],
      "references": [
        {
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/",
          "summary": "CVE-2021-33725 - SINEC NMS"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-33725.json",
          "summary": "CVE-2021-33725 Mitre 5.0 json"
        }
      ]
    },
    {
      "title": "CVE-2021-33726",
      "notes": [
        {
          "title": "Summary",
          "category": "summary",
          "text": "The affected system allows to download arbitrary files under a user controlled path and does not correctly check if the relative path is still within the intended target directory."
        }
      ],
      "cve": "CVE-2021-33726",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
      },
      "product_status": {
        "known_affected": [
          "1"
        ]
      },
      "scores": [
        {
          "cvss_v3": {
            "version": "3.1",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C"
          },
          "products": [
            "1"
          ]
        }
      ],
      "remediations": [
        {
          "product_ids": [
            "1"
          ],
          "category": "vendor_fix",
          "details": "Update to V1.0 SP2 Update 1 or later version",
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/"
        },
        {
          "product_ids": [
            "1"
          ],
          "category": "mitigation",
          "details": "Restrict access to the affected systems, especially to port 443/tcp, to trusted IP addresses only"
        }
      ],
      "references": [
        {
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/",
          "summary": "CVE-2021-33726 - SINEC NMS"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-33726.json",
          "summary": "CVE-2021-33726 Mitre 5.0 json"
        }
      ]
    },
    {
      "title": "CVE-2021-33727",
      "notes": [
        {
          "title": "Summary",
          "category": "summary",
          "text": "An authenticated attacker could download the user profile of any user. With this, the attacker could leak confidential information of any user in the affected system."
        }
      ],
      "cve": "CVE-2021-33727",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "product_status": {
        "known_affected": [
          "1"
        ]
      },
      "scores": [
        {
          "cvss_v3": {
            "version": "3.1",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C"
          },
          "products": [
            "1"
          ]
        }
      ],
      "remediations": [
        {
          "product_ids": [
            "1"
          ],
          "category": "vendor_fix",
          "details": "Update to V1.0 SP2 Update 1 or later version",
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/"
        },
        {
          "product_ids": [
            "1"
          ],
          "category": "mitigation",
          "details": "Restrict access to the affected systems, especially to port 443/tcp, to trusted IP addresses only"
        }
      ],
      "references": [
        {
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/",
          "summary": "CVE-2021-33727 - SINEC NMS"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-33727.json",
          "summary": "CVE-2021-33727 Mitre 5.0 json"
        }
      ]
    },
    {
      "title": "CVE-2021-33728",
      "notes": [
        {
          "title": "Summary",
          "category": "summary",
          "text": "The affected system allows to upload JSON objects that are deserialized to JAVA objects. Due to insecure deserialization of user-supplied content by the affected software, a privileged attacker could exploit this vulnerability by sending a crafted serialized Java object.\n\nAn exploit could allow the attacker to execute arbitrary code on the device with root privileges."
        }
      ],
      "cve": "CVE-2021-33728",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "product_status": {
        "known_affected": [
          "1"
        ]
      },
      "scores": [
        {
          "cvss_v3": {
            "version": "3.1",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"
          },
          "products": [
            "1"
          ]
        }
      ],
      "remediations": [
        {
          "product_ids": [
            "1"
          ],
          "category": "vendor_fix",
          "details": "Update to V1.0 SP2 Update 1 or later version",
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/"
        },
        {
          "product_ids": [
            "1"
          ],
          "category": "mitigation",
          "details": "Restrict access to the affected systems, especially to port 443/tcp, to trusted IP addresses only"
        }
      ],
      "references": [
        {
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/",
          "summary": "CVE-2021-33728 - SINEC NMS"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-33728.json",
          "summary": "CVE-2021-33728 Mitre 5.0 json"
        }
      ]
    },
    {
      "title": "CVE-2021-33729",
      "notes": [
        {
          "title": "Summary",
          "category": "summary",
          "text": "An authenticated attacker that is able to import firmware containers to an affected system could execute arbitrary commands in the local database."
        }
      ],
      "cve": "CVE-2021-33729",
      "cwe": {
        "id": "CWE-89",
        "name": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
      },
      "product_status": {
        "known_affected": [
          "1"
        ]
      },
      "scores": [
        {
          "cvss_v3": {
            "version": "3.1",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"
          },
          "products": [
            "1"
          ]
        }
      ],
      "remediations": [
        {
          "product_ids": [
            "1"
          ],
          "category": "vendor_fix",
          "details": "Update to V1.0 SP2 Update 1 or later version",
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/"
        },
        {
          "product_ids": [
            "1"
          ],
          "category": "mitigation",
          "details": "Restrict access to the affected systems, especially to port 443/tcp, to trusted IP addresses only"
        }
      ],
      "references": [
        {
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/",
          "summary": "CVE-2021-33729 - SINEC NMS"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-33729.json",
          "summary": "CVE-2021-33729 Mitre 5.0 json"
        }
      ]
    },
    {
      "title": "CVE-2021-33730",
      "notes": [
        {
          "title": "Summary",
          "category": "summary",
          "text": "A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application."
        }
      ],
      "cve": "CVE-2021-33730",
      "cwe": {
        "id": "CWE-89",
        "name": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
      },
      "product_status": {
        "known_affected": [
          "1"
        ]
      },
      "scores": [
        {
          "cvss_v3": {
            "version": "3.1",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"
          },
          "products": [
            "1"
          ]
        }
      ],
      "remediations": [
        {
          "product_ids": [
            "1"
          ],
          "category": "vendor_fix",
          "details": "Update to V1.0 SP2 Update 1 or later version",
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/"
        },
        {
          "product_ids": [
            "1"
          ],
          "category": "mitigation",
          "details": "Restrict access to the affected systems, especially to port 443/tcp, to trusted IP addresses only"
        }
      ],
      "references": [
        {
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/",
          "summary": "CVE-2021-33730 - SINEC NMS"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-33730.json",
          "summary": "CVE-2021-33730 Mitre 5.0 json"
        }
      ]
    },
    {
      "title": "CVE-2021-33731",
      "notes": [
        {
          "title": "Summary",
          "category": "summary",
          "text": "A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application."
        }
      ],
      "cve": "CVE-2021-33731",
      "cwe": {
        "id": "CWE-89",
        "name": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
      },
      "product_status": {
        "known_affected": [
          "1"
        ]
      },
      "scores": [
        {
          "cvss_v3": {
            "version": "3.1",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"
          },
          "products": [
            "1"
          ]
        }
      ],
      "remediations": [
        {
          "product_ids": [
            "1"
          ],
          "category": "vendor_fix",
          "details": "Update to V1.0 SP2 Update 1 or later version",
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/"
        },
        {
          "product_ids": [
            "1"
          ],
          "category": "mitigation",
          "details": "Restrict access to the affected systems, especially to port 443/tcp, to trusted IP addresses only"
        }
      ],
      "references": [
        {
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/",
          "summary": "CVE-2021-33731 - SINEC NMS"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-33731.json",
          "summary": "CVE-2021-33731 Mitre 5.0 json"
        }
      ]
    },
    {
      "title": "CVE-2021-33732",
      "notes": [
        {
          "title": "Summary",
          "category": "summary",
          "text": "A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application."
        }
      ],
      "cve": "CVE-2021-33732",
      "cwe": {
        "id": "CWE-89",
        "name": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
      },
      "product_status": {
        "known_affected": [
          "1"
        ]
      },
      "scores": [
        {
          "cvss_v3": {
            "version": "3.1",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"
          },
          "products": [
            "1"
          ]
        }
      ],
      "remediations": [
        {
          "product_ids": [
            "1"
          ],
          "category": "vendor_fix",
          "details": "Update to V1.0 SP2 Update 1 or later version",
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/"
        },
        {
          "product_ids": [
            "1"
          ],
          "category": "mitigation",
          "details": "Restrict access to the affected systems, especially to port 443/tcp, to trusted IP addresses only"
        }
      ],
      "references": [
        {
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/",
          "summary": "CVE-2021-33732 - SINEC NMS"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-33732.json",
          "summary": "CVE-2021-33732 Mitre 5.0 json"
        }
      ]
    },
    {
      "title": "CVE-2021-33733",
      "notes": [
        {
          "title": "Summary",
          "category": "summary",
          "text": "A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application."
        }
      ],
      "cve": "CVE-2021-33733",
      "cwe": {
        "id": "CWE-89",
        "name": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
      },
      "product_status": {
        "known_affected": [
          "1"
        ]
      },
      "scores": [
        {
          "cvss_v3": {
            "version": "3.1",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"
          },
          "products": [
            "1"
          ]
        }
      ],
      "remediations": [
        {
          "product_ids": [
            "1"
          ],
          "category": "vendor_fix",
          "details": "Update to V1.0 SP2 Update 1 or later version",
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/"
        },
        {
          "product_ids": [
            "1"
          ],
          "category": "mitigation",
          "details": "Restrict access to the affected systems, especially to port 443/tcp, to trusted IP addresses only"
        }
      ],
      "references": [
        {
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/",
          "summary": "CVE-2021-33733 - SINEC NMS"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-33733.json",
          "summary": "CVE-2021-33733 Mitre 5.0 json"
        }
      ]
    },
    {
      "title": "CVE-2021-33734",
      "notes": [
        {
          "title": "Summary",
          "category": "summary",
          "text": "A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application."
        }
      ],
      "cve": "CVE-2021-33734",
      "cwe": {
        "id": "CWE-89",
        "name": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
      },
      "product_status": {
        "known_affected": [
          "1"
        ]
      },
      "scores": [
        {
          "cvss_v3": {
            "version": "3.1",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"
          },
          "products": [
            "1"
          ]
        }
      ],
      "remediations": [
        {
          "product_ids": [
            "1"
          ],
          "category": "vendor_fix",
          "details": "Update to V1.0 SP2 Update 1 or later version",
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/"
        },
        {
          "product_ids": [
            "1"
          ],
          "category": "mitigation",
          "details": "Restrict access to the affected systems, especially to port 443/tcp, to trusted IP addresses only"
        }
      ],
      "references": [
        {
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/",
          "summary": "CVE-2021-33734 - SINEC NMS"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-33734.json",
          "summary": "CVE-2021-33734 Mitre 5.0 json"
        }
      ]
    },
    {
      "title": "CVE-2021-33735",
      "notes": [
        {
          "title": "Summary",
          "category": "summary",
          "text": "A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application."
        }
      ],
      "cve": "CVE-2021-33735",
      "cwe": {
        "id": "CWE-89",
        "name": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
      },
      "product_status": {
        "known_affected": [
          "1"
        ]
      },
      "scores": [
        {
          "cvss_v3": {
            "version": "3.1",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"
          },
          "products": [
            "1"
          ]
        }
      ],
      "remediations": [
        {
          "product_ids": [
            "1"
          ],
          "category": "vendor_fix",
          "details": "Update to V1.0 SP2 Update 1 or later version",
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/"
        },
        {
          "product_ids": [
            "1"
          ],
          "category": "mitigation",
          "details": "Restrict access to the affected systems, especially to port 443/tcp, to trusted IP addresses only"
        }
      ],
      "references": [
        {
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/",
          "summary": "CVE-2021-33735 - SINEC NMS"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-33735.json",
          "summary": "CVE-2021-33735 Mitre 5.0 json"
        }
      ]
    },
    {
      "title": "CVE-2021-33736",
      "notes": [
        {
          "title": "Summary",
          "category": "summary",
          "text": "A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application."
        }
      ],
      "cve": "CVE-2021-33736",
      "cwe": {
        "id": "CWE-89",
        "name": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
      },
      "product_status": {
        "known_affected": [
          "1"
        ]
      },
      "scores": [
        {
          "cvss_v3": {
            "version": "3.1",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"
          },
          "products": [
            "1"
          ]
        }
      ],
      "remediations": [
        {
          "product_ids": [
            "1"
          ],
          "category": "vendor_fix",
          "details": "Update to V1.0 SP2 Update 1 or later version",
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/"
        },
        {
          "product_ids": [
            "1"
          ],
          "category": "mitigation",
          "details": "Restrict access to the affected systems, especially to port 443/tcp, to trusted IP addresses only"
        }
      ],
      "references": [
        {
          "url": "https://support.industry.siemens.com/cs/ww/en/view/109802731/",
          "summary": "CVE-2021-33736 - SINEC NMS"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-33736.json",
          "summary": "CVE-2021-33736 Mitre 5.0 json"
        }
      ]
    }
  ]
}

