CVE-2021-27476

Published: Mar 23, 2022Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

A vulnerability exists in the SaveConfigFile function of the RACompare Service, which may allow for OS command injection. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier.

Affected (1)

Products: Rockwellautomation: Factorytalk Assetcentre

Rockwellautomation

1 product

Factorytalk Assetcentre

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Rockwellautomation Factorytalk Assetcentre	Up to 10.00

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (4)

https://idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Drockwellautomation.custhelp.com%26RelayState%3Danswers%2Fanswer_view%2Fa_id%2F1130831

Source: ics-cert@hq.dhs.gov

Permissions RequiredVendor Advisory

https://www.cisa.gov/uscert/ics/advisories/icsa-21-091-01

Source: ics-cert@hq.dhs.gov

MitigationThird Party AdvisoryUS Government Resource

https://idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Drockwellautomation.custhelp.com%26RelayState%3Danswers%2Fanswer_view%2Fa_id%2F1130831

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions RequiredVendor Advisory

https://www.cisa.gov/uscert/ics/advisories/icsa-21-091-01

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationThird Party AdvisoryUS Government Resource

Timeline

No history available yet.