CVE-2021-22697

Published: Jan 26, 2021Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists in the EcoStruxure Power Build - Rapsody software (V2.1.13 and prior) that could allow a use-after-free condition which could result in remote code execution when a malicious SSD file is uploaded and improperly parsed.

Affected (1)

Products: Schneider Electric: Ecostruxure Power Build Rapsody

Schneider Electric

1 product

Ecostruxure Power Build Rapsody

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Schneider Electric Ecostruxure Power Build Rapsody	Up to 2.1.13

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (6)

https://us-cert.cisa.gov/ics/advisories/icsa-21-012-01

Source: cybersecurity@se.com

Third Party AdvisoryUS Government Resource

https://www.se.com/ww/en/download/document/SEVD-2021-012-02/

Source: cybersecurity@se.com

Vendor Advisory

https://www.zerodayinitiative.com/advisories/ZDI-21-186/

Source: cybersecurity@se.com

Third Party AdvisoryVDB Entry

https://us-cert.cisa.gov/ics/advisories/icsa-21-012-01

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

https://www.se.com/ww/en/download/document/SEVD-2021-012-02/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.zerodayinitiative.com/advisories/ZDI-21-186/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

Timeline

No history available yet.