CVE-2022-41670

Published: Nov 4, 2022Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in the SGIUtility component that allows adversaries with local user privileges to load malicious DLL which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior).

Affected (6)

Products: Schneider Electric: Ecostruxure Operator Terminal Expert, Pro Face Blue

Schneider Electric

2 products

Ecostruxure Operator Terminal Expert

Pro Face Blue

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Schneider Electric Ecostruxure Operator Terminal Expert	Before 3.3
Schneider Electric Ecostruxure Operator Terminal Expert	Version 3.3
Schneider Electric Ecostruxure Operator Terminal Expert	Version 3.3 hotfix1
Schneider Electric Pro Face Blue	Before 3.3
Schneider Electric Pro Face Blue	Version 3.3
Schneider Electric Pro Face Blue	Version 3.3 hotfix1

Related CWEs

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (2)

https://www.se.com/ww/en/download/document/SEVD-2022-284-01/

Source: cybersecurity@se.com

PatchVendor Advisory

https://www.se.com/ww/en/download/document/SEVD-2022-284-01/

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.