Vulnerabilities > CVE-2021-37181 - Deserialization of Untrusted Data vulnerability in Siemens Cerberus Dms, Desigo CC and Desigo CC Compact

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

siemens

CWE-502

NVD

Published: 2021-09-14

Updated: 2021-09-24

Summary

A vulnerability has been identified in Cerberus DMS V4.0 (All versions), Cerberus DMS V4.1 (All versions), Cerberus DMS V4.2 (All versions), Cerberus DMS V5.0 (All versions < v5.0 QU1), Desigo CC Compact V4.0 (All versions), Desigo CC Compact V4.1 (All versions), Desigo CC Compact V4.2 (All versions), Desigo CC Compact V5.0 (All versions < V5.0 QU1), Desigo CC V4.0 (All versions), Desigo CC V4.1 (All versions), Desigo CC V4.2 (All versions), Desigo CC V5.0 (All versions < V5.0 QU1). The application deserialises untrusted data without sufficient validations, that could result in an arbitrary deserialization. This could allow an unauthenticated attacker to execute code in the affected system. The CCOM communication component used for Windows App / Click-Once and IE Web / XBAP client connectivity are affected by the vulnerability.

Vulnerable Configurations

Part	Description	Count
Application	Siemens Siemens Cerberus DMS 4.0 Siemens Cerberus DMS 4.1 Siemens Cerberus DMS 4.2 Siemens Cerberus DMS 5.0 Siemens Desigo CC 4.0 Siemens Desigo CC 4.1 Siemens Desigo CC 4.2 Siemens Desigo CC 5.0 Siemens Desigo CC Compact 4.0 Siemens Desigo CC Compact 4.1 Siemens Desigo CC Compact 4.2 Siemens Desigo CC Compact 5.0	12

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

References

https://cert-portal.siemens.com/productcert/pdf/ssa-453715.pdf