CVE-2021-22797

Published Apr 13, 2022

Last updated 3 years ago

CVSS high 7.8

Overview

Description: A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal) vulnerability exists that could cause malicious script to be deployed in an unauthorized location and may result in code execution on the engineering workstation when a malicious project file is loaded in the engineering software. Affected Product: EcoStruxure Control Expert (V15.0 SP1 and prior, including former Unity Pro), EcoStruxure Process Expert (2020 and prior, including former HDCS), SCADAPack RemoteConnect for x70 (All versions)
Source: cybersecurity@se.com
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 7.8
Impact score: 5.9
Exploitability score: 1.8
Vector string: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity: HIGH

CVSS 2.0

Type: Primary
Base score: 9.3
Impact score: 10
Exploitability score: 8.6
Vector string: AV:N/AC:M/Au:N/C:C/I:C/A:C

Weaknesses

cybersecurity@se.com: CWE-22

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:schneider-electric:ecostruxure_control_expert:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8DCC0C29-32C2-4463-B98F-AB4B56FF5314",
            "versionEndExcluding": "15.1"
          },
          {
            "criteria": "cpe:2.3:a:schneider-electric:ecostruxure_process_expert:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FAB4A9EC-96A2-424D-A858-162E662EBEFB",
            "versionEndExcluding": "2021"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:schneider-electric:remoteconnect:-:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3FFDF36B-30A5-4B35-956C-60DC15CE7EE4"
          }
        ],
        "operator": "OR"
      },
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:h:schneider-electric:scadapack_470:-:*:*:*:*:*:*:*",
            "vulnerable": false,
            "matchCriteriaId": "F51A7887-4F1A-428C-9E68-260E7262A678"
          },
          {
            "criteria": "cpe:2.3:h:schneider-electric:scadapack_474:-:*:*:*:*:*:*:*",
            "vulnerable": false,
            "matchCriteriaId": "58BACC54-6609-4DCE-AEEC-A9C2396635A0"
          },
          {
            "criteria": "cpe:2.3:h:schneider-electric:scadapack_570:-:*:*:*:*:*:*:*",
            "vulnerable": false,
            "matchCriteriaId": "FFDF44F3-2514-4CB0-A1A4-87123225B0F1"
          },
          {
            "criteria": "cpe:2.3:h:schneider-electric:scadapack_574:-:*:*:*:*:*:*:*",
            "vulnerable": false,
            "matchCriteriaId": "4F5CDC99-C4C8-43FE-8EA7-65C7EDFD9BA3"
          },
          {
            "criteria": "cpe:2.3:h:schneider-electric:scadapack_575:-:*:*:*:*:*:*:*",
            "vulnerable": false,
            "matchCriteriaId": "DE4172DF-94E3-4AEE-8D6B-9F48DC453B9E"
          }
        ],
        "operator": "OR"
      }
    ],
    "operator": "AND"
  }
]

Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

References