Lucene search

[email protected]CVE-2021-22797

HistoryApr 13, 2022 - 4:15 p.m.

CVE-2021-22797

2022-04-1316:15:09

CWE-22

[email protected]

web.nvd.nist.gov

cve-2021-22797

cwe-22

path traversal

ecostruxure control expert

ecostruxure process expert

scadapack remoteconnect

security vulnerability

nvd

code execution

engineering software

malicious project file

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

59.0%

JSON

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal) vulnerability exists that could cause malicious script to be deployed in an unauthorized location and may result in code execution on the engineering workstation when a malicious project file is loaded in the engineering software. Affected Product: EcoStruxure Control Expert (V15.0 SP1 and prior, including former Unity Pro), EcoStruxure Process Expert (2020 and prior, including former HDCS), SCADAPack RemoteConnect for x70 (All versions)

Affected configurations

NVD

Node

schneider-electricecostruxure_control_expertRange<15.1

schneider-electricecostruxure_process_expertRange<2021

Node

schneider-electricremoteconnectMatch-

AND

schneider-electricscadapack_470Match-

schneider-electricscadapack_474Match-

schneider-electricscadapack_570Match-

schneider-electricscadapack_574Match-

schneider-electricscadapack_575Match-

CPENameOperatorVersion
schneider-electric:ecostruxure_control_expertschneider-electric ecostruxure control expertlt15.1
schneider-electric:ecostruxure_process_expertschneider-electric ecostruxure process expertlt2021

CPE	Name	Operator	Version
schneider-electric:ecostruxure_control_expert	schneider-electric ecostruxure control expert	lt	15.1
schneider-electric:ecostruxure_process_expert	schneider-electric ecostruxure process expert	lt	2021

CNA Affected

[
  {
    "product": "EcoStruxure Control Expert",
    "vendor": "Schneider Electric",
    "versions": [
      {
        "lessThan": "V15.0 SP1",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "EcoStruxure Process Expert",
    "vendor": "Schneider Electric",
    "versions": [
      {
        "lessThan": "2020",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "SCADAPack RemoteConnect for x70",
    "vendor": "Schneider Electric",
    "versions": [
      {
        "status": "affected",
        "version": "All versions"
      }
    ]
  }
]

References

www.se.com/ww/en/download/document/SEVD-2021-257-01/

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

59.0%

JSON

Related for CVE-2021-22797

zdi1 nvd1 ics1 prion1 cvelist1