Cyber Resilience

CVE-2021-22850

Medium

Published: 19 January 2021

Published
19 January 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0029 52.9th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-22850 is a medium-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Hgiga Oaklouds Portal. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 47.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

HGiga EIP product lacks ineffective access control in certain pages that allow attackers to access database or perform privileged functions.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

hgiga
oaklouds portal
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-306 CWE-732

The assessment process confirms authentication is present and effective for critical functions, preventing exploitation from missing authentication.

addresses: CWE-306 CWE-732

Certification assesses that critical functions have required authentication controls in place.

addresses: CWE-306 CWE-732

Disabling non-essential functions and services eliminates the need to secure them, reducing exposure from missing authentication on unnecessary components.

addresses: CWE-306 CWE-732

The shutoff is a critical function, and the control ensures it cannot be activated without proper (physical) authentication.

addresses: CWE-306 CWE-732

Requires verification of individual access authorizations before granting facility entry, addressing missing authentication for critical physical access.

addresses: CWE-306 CWE-732

Implements authentication steps (ID checks, sign-in, escort verification) for physical access to critical functions or locations.

addresses: CWE-732 CWE-306

Tailoring actions include assigning or restricting permissions on critical resources to the minimum necessary for the system's purpose and threat environment.

addresses: CWE-306 CWE-732

Protection planning for critical infrastructure directly calls for authentication of access to essential functions before any operation is permitted.

References