Skip to main content

Command Centre CVE-2021-23193

MEDIUM
Information Exposure (CWE-200)
2021-11-18 disclosures@gallagher.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Nov 18, 2021 - 19:15 nvd
MEDIUM 6.5

DescriptionNVD

Improper privilege validation vulnerability in COM Interface of Gallagher Command Centre Server allows authenticated unprivileged operators to retrieve sensitive information from the Command Centre Server. This issue affects: Gallagher Command Centre 8.50 versions prior to 8.50.2048 (MR3) ; 8.40 versions prior to 8.40.2063 (MR4); 8.30 versions prior to 8.30.1454 (MR4) ; 8.20 versions prior to 8.20.1291 (MR6); version 8.10 and prior versions.

AnalysisAI

Improper privilege validation vulnerability in COM Interface of Gallagher Command Centre Server allows authenticated unprivileged operators to retrieve sensitive information from the Command Centre. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. Improper privilege validation vulnerability in COM Interface of Gallagher Command Centre Server allows authenticated unprivileged operators to retrieve sensitive information from the Command Centre Server. This issue affects: Gallagher Command Centre 8.50 versions prior to 8.50.2048 (MR3) ; 8.40 versions prior to 8.40.2063 (MR4); 8.30 versions prior to 8.30.1454 (MR4) ; 8.20 versions prior to 8.20.1291 (MR6); version 8.10 and prior versions. Affected products include: Gallagher Command Centre. Version information: prior to 8.50.2048.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.

CVE-2020-16098 CRITICAL
9.8 Sep 15

It is possible to enumerate access card credentials via an unauthenticated network connection to the server in versions

CVE-2019-15294 CRITICAL
9.8 Aug 28

An issue was discovered in Gallagher Command Centre 8.10 before 8.10.1092(MR2). Rated critical severity (CVSS 9.8), this

CVE-2021-23140 HIGH
8.8 Jun 11

Improper Authorization vulnerability in Gallagher Command Centre Server allows command line macros to be modified by an

CVE-2020-16103 HIGH
8.8 Dec 14

Type confusion in Gallagher Command Centre Server allows a remote attacker to crash the server or possibly cause remote

CVE-2020-16102 HIGH
8.2 Dec 14

Improper Authentication vulnerability in Gallagher Command Centre Server allows an unauthenticated remote attacker to cr

CVE-2023-23570 HIGH
8.1 Dec 18

Client-Side enforcement of Server-Side security for the Command Centre server could be bypassed and lead to invalid conf

CVE-2021-23205 HIGH
8.1 Jun 11

Improper Encoding or Escaping in Gallagher Command Centre Server allows a Command Centre Operator to alter the configura

CVE-2021-23197 HIGH
7.8 Nov 18

Unquoted service path vulnerability in the Gallagher Controller Service allows an unprivileged user to execute arbitrary

CVE-2020-16096 HIGH
7.7 Sep 15

In Gallagher Command Centre versions 8.10 prior to 8.10.1134(MR4), 8.00 prior to 8.00.1161(MR5), 7.90 prior to 7.90.991(

CVE-2023-22363 HIGH
7.5 Jul 25

A stack-based buffer overflow in the Command Centre Server allows an attacker to cause a denial of service attack via as

CVE-2021-23146 HIGH
7.5 Nov 18

An Incomplete Comparison with Missing Factors vulnerability in the Gallagher Controller allows an attacker to bypass PIV

CVE-2020-16101 HIGH
7.5 Sep 15

It is possible for an unauthenticated remote DCOM websocket connection to crash the Command Centre service due to an out

Share

CVE-2021-23193 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy