github - ghsa-hw84-h4fr-vvvc

ghsa-hw84-h4fr-vvvc

Vulnerability from github

Published

2021-11-20 00:00

Modified

2021-11-24 00:00

Details

Philips MRI 1.5T and MRI 3T Version 5.x.x assigns an owner who is outside the intended control sphere to a resource.

Show details on source website

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-26248"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-708"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-19T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Philips MRI 1.5T and MRI 3T Version 5.x.x assigns an owner who is outside the intended control sphere to a resource.",
  "id": "GHSA-hw84-h4fr-vvvc",
  "modified": "2021-11-24T00:00:50Z",
  "published": "2021-11-20T00:00:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26248"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-313-01"
    },
    {
      "type": "WEB",
      "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2021-26248 (GCVE-0-2021-26248)

Vulnerability from cvelistv5

Published

2021-11-19 18:37

Modified

2024-08-03 20:19

Severity ?

6.2 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-708 - Incorrect Ownership Assignment

Summary

Philips MRI 1.5T and MRI 3T Version 5.x.x assigns an owner who is outside the intended control sphere to a resource.

References

►

URL

Tags

	https://us-cert.cisa.gov/ics/advisories/icsma-21-313-01	x_refsource_MISC
	https://www.usa.philips.com/healthcare/about/customer-support/product-security	x_refsource_MISC

Impacted products

Vendor

Product

Version

►

Version: All 5.x.x

Version: 5.x.x

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T20:19:20.386Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-313-01"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "MRI 1.5T",
          "vendor": "Philips",
          "versions": [
            {
              "status": "affected",
              "version": "All 5.x.x"
            }
          ]
        },
        {
          "product": "MRI 3T",
          "vendor": "Philips",
          "versions": [
            {
              "status": "affected",
              "version": "5.x.x"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Michael Aguilar, a Secureworks Adversary Group consultant, reported these vulnerabilities to Philips."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Philips MRI 1.5T and MRI 3T Version 5.x.x assigns an owner who is outside the intended control sphere to a resource."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-708",
              "description": "CWE-708 Incorrect Ownership Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-11-19T18:37:35",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-313-01"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"
        }
      ],
      "source": {
        "advisory": "ICSMA-21-313-01",
        "discovery": "EXTERNAL"
      },
      "title": "Philips MRI 1.5T and 3T Incorrect Ownership Assignment",
      "workarounds": [
        {
          "lang": "en",
          "value": "Philips plans a new release to remediate these vulnerabilities by October 2022.  As an interim mitigation to these vulnerabilities, Philips recommends the following:\nUsers should operate all Philips deployed and supported products within Philips authorized specifications, including physical and logical controls. Only allowed personnel are permitted in the vicinity of the product. Refer to the Philips instructions for use (IFU) available on InCenter.\n\nUsers with questions about their specific MRI product should contact a Philips service support team or regional service support. Philips contact information is available at the Philips customer service solutions website or by calling 1-800-722-9377. \n\nFor more information regarding these vulnerabilities, see the Philips product security advisory website.\n\nUsers can also visit the Philips product security website for the latest security information for Philips products."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2021-26248",
          "STATE": "PUBLIC",
          "TITLE": "Philips MRI 1.5T and 3T Incorrect Ownership Assignment"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "MRI 1.5T",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_name": "All",
                            "version_value": "5.x.x"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "MRI 3T",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "5.x.x"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Philips"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Michael Aguilar, a Secureworks Adversary Group consultant, reported these vulnerabilities to Philips."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Philips MRI 1.5T and MRI 3T Version 5.x.x assigns an owner who is outside the intended control sphere to a resource."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-708 Incorrect Ownership Assignment"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://us-cert.cisa.gov/ics/advisories/icsma-21-313-01",
              "refsource": "MISC",
              "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-313-01"
            },
            {
              "name": "https://www.usa.philips.com/healthcare/about/customer-support/product-security",
              "refsource": "MISC",
              "url": "https://www.usa.philips.com/healthcare/about/customer-support/product-security"
            }
          ]
        },
        "source": {
          "advisory": "ICSMA-21-313-01",
          "discovery": "EXTERNAL"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Philips plans a new release to remediate these vulnerabilities by October 2022.  As an interim mitigation to these vulnerabilities, Philips recommends the following:\nUsers should operate all Philips deployed and supported products within Philips authorized specifications, including physical and logical controls. Only allowed personnel are permitted in the vicinity of the product. Refer to the Philips instructions for use (IFU) available on InCenter.\n\nUsers with questions about their specific MRI product should contact a Philips service support team or regional service support. Philips contact information is available at the Philips customer service solutions website or by calling 1-800-722-9377. \n\nFor more information regarding these vulnerabilities, see the Philips product security advisory website.\n\nUsers can also visit the Philips product security website for the latest security information for Philips products."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2021-26248",
    "datePublished": "2021-11-19T18:37:35",
    "dateReserved": "2021-11-11T00:00:00",
    "dateUpdated": "2024-08-03T20:19:20.386Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.