← Back

CVE-2021-22797

nvd nist
Published: Apr 13, 2022Modified: Nov 21, 2024

JSON object

Loading...
7.8
Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Exploitability: 1.8 / Impact: 5.9
Source: NVD

Description

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal) vulnerability exists that could cause malicious script to be deployed in an unauthorized location and may result in code execution on the engineering workstation when a malicious project file is loaded in the engineering software. Affected Product: EcoStruxure Control Expert (V15.0 SP1 and prior, including former Unity Pro), EcoStruxure Process Expert (2020 and prior, including former HDCS), SCADAPack RemoteConnect for x70 (All versions)

Affected (3)

Schneider Electric
3 products
Ecostruxure Control Expert
Ecostruxure Process Expert
Remoteconnect
Configuration A
2 vulnerable
Vulnerable SoftwareAffected Versions
Ecostruxure Control Expert
Before 15.1
Ecostruxure Process Expert
Before 2021
Configuration B
1 vulnerable · 5 platform
Vulnerable SoftwareAffected Versions
Remoteconnect
All versions
Running on/withPlatform Versions
Schneider Electric
Scadapack 470
All versions
Schneider Electric
Scadapack 474
All versions
Schneider Electric
Scadapack 570
All versions
Schneider Electric
Scadapack 574
All versions
Schneider Electric
Scadapack 575
All versions

Related CWEs

CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (2)

Source: cybersecurity@se.com
MitigationPatchVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
MitigationPatchVendor Advisory

Timeline

No history available yet.