Command injection

2022-06-1314:15:00

PRIOn knowledge base

www.prio-n.com

9.4 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

57.5%

JSON

In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint “cecc-x-refresh-request” POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.

CPENameOperatorVersion
controller_cecc-x-m1-mv-s1_firmwarele3.8.14
controller_cecc-x-m1-mv-s1_firmwareeq4.0.14
controller_cecc-x-m1-mv_firmwarele3.8.14
controller_cecc-x-m1-mv_firmwareeq4.0.14
controller_cecc-x-m1-y-yjkp_firmwarele3.8.14
controller_cecc-x-m1-ys-l1_firmwarele3.8.14
controller_cecc-x-m1-ys-l2_firmwarele3.8.14
controller_cecc-x-m1_firmwarele3.8.14
controller_cecc-x-m1_firmwareeq4.0.14
servo_press_kit_yjkp-_firmwarele3.8.14

Name	Operator	Version
controller_cecc-x-m1-mv-s1_firmware	le	3.8.14
controller_cecc-x-m1-mv-s1_firmware	eq	4.0.14
controller_cecc-x-m1-mv_firmware	le	3.8.14
controller_cecc-x-m1-mv_firmware	eq	4.0.14
controller_cecc-x-m1-y-yjkp_firmware	le	3.8.14
controller_cecc-x-m1-ys-l1_firmware	le	3.8.14
controller_cecc-x-m1-ys-l2_firmware	le	3.8.14
controller_cecc-x-m1_firmware	le	3.8.14
controller_cecc-x-m1_firmware	eq	4.0.14
servo_press_kit_yjkp-_firmware	le	3.8.14

Rows per page:

1-10 of 111

References

cert.vde.com/en/advisories/VDE-2022-020/