CVE-2021-22797

Опубликовано: 13 апр. 2022

Источник: nvd

CVSS3: 7.8

CVSS2: 9.3

EPSS Низкий

Описание

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal) vulnerability exists that could cause malicious script to be deployed in an unauthorized location and may result in code execution on the engineering workstation when a malicious project file is loaded in the engineering software. Affected Product: EcoStruxure Control Expert (V15.0 SP1 and prior, including former Unity Pro), EcoStruxure Process Expert (2020 and prior, including former HDCS), SCADAPack RemoteConnect for x70 (All versions)

Ссылки

https://www.se.com/ww/en/download/document/SEVD-2021-257-01/
Mitigation
Patch
Vendor Advisory
https://www.se.com/ww/en/download/document/SEVD-2021-257-01/
Mitigation
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:schneider-electric:ecostruxure_control_expert:*:*:*:*:*:*:*:*

Версия до 15.1 (исключая)

cpe:2.3:a:schneider-electric:ecostruxure_process_expert:*:*:*:*:*:*:*:*

Версия до 2021 (исключая)

Конфигурация 2

Одновременно

cpe:2.3:a:schneider-electric:remoteconnect:-:*:*:*:*:*:*:*

Одно из

cpe:2.3:h:schneider-electric:scadapack_470:-:*:*:*:*:*:*:*

cpe:2.3:h:schneider-electric:scadapack_474:-:*:*:*:*:*:*:*

cpe:2.3:h:schneider-electric:scadapack_570:-:*:*:*:*:*:*:*

cpe:2.3:h:schneider-electric:scadapack_574:-:*:*:*:*:*:*:*

cpe:2.3:h:schneider-electric:scadapack_575:-:*:*:*:*:*:*:*

EPSS

Процентиль: 74%

0.00813

Низкий

7.8 High

CVSS3

9.3 Critical

CVSS2

Дефекты

CWE-22

Связанные уязвимости

GHSA-qqgr-6jmg-cwgv