Search criteria
18 vulnerabilities found for windldr by idec
FKIE_CVE-2024-41716
Vulnerability from fkie_nvd - Published: 2024-09-04 01:15 - Updated: 2025-03-13 15:15
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
Cleartext storage of sensitive information vulnerability exists in WindLDR and WindO/I-NV4. If this vulnerability is exploited, an attacker who obtained the product's project file may obtain user credentials of the PLC or Operator Interfaces. As a result, an attacker may be able to manipulate and/or suspend the PLC and Operator Interfaces by accessing or hijacking them.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | https://jvn.jp/en/jp/JVN08342147/ | Third Party Advisory | |
| vultures@jpcert.or.jp | https://us.idec.com/media/24-RD-0219-EN.pdf | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| idec | windldr | * | |
| idec | windo\/i-nv4 | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:idec:windldr:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3A8085E3-47BE-471B-9752-1B0B7482954B",
"versionEndExcluding": "9.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:idec:windo\\/i-nv4:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2778FEF8-6239-40F4-8E1F-B9AEBA9711FD",
"versionEndExcluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cleartext storage of sensitive information vulnerability exists in WindLDR and WindO/I-NV4. If this vulnerability is exploited, an attacker who obtained the product\u0027s project file may obtain user credentials of the PLC or Operator Interfaces. As a result, an attacker may be able to manipulate and/or suspend the PLC and Operator Interfaces by accessing or hijacking them."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de almacenamiento de texto plano de informaci\u00f3n confidencial en WindLDR y WindO/I-NV4. Si se explota esta vulnerabilidad, un atacante que haya obtenido el archivo de proyecto del producto puede obtener las credenciales de usuario del PLC o las interfaces del operador. Como resultado, un atacante puede manipular y/o suspender el PLC y las interfaces del operador accediendo a ellos o secuestr\u00e1ndolos."
}
],
"id": "CVE-2024-41716",
"lastModified": "2025-03-13T15:15:47.003",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-09-04T01:15:11.747",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN08342147/"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Vendor Advisory"
],
"url": "https://us.idec.com/media/24-RD-0219-EN.pdf"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-312"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-312"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2021-37400
Vulnerability from fkie_nvd - Published: 2021-12-28 13:15 - Updated: 2024-11-21 06:15
Severity ?
Summary
An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:idec:data_file_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5E7A2720-6B29-4BD1-B85B-293850D804A8",
"versionEndIncluding": "2.12.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:idec:windedit:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FA314D4B-B187-4238-B341-E2B9F94EBEBA",
"versionEndIncluding": "1.3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:idec:windldr:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7ED0922F-93CB-41B3-A468-44845F428945",
"versionEndIncluding": "8.19.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:idec:microsmart_plus_fc6b_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "950DD61E-60D8-4102-A18F-18A4706DE647",
"versionEndIncluding": "2.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:idec:microsmart_plus_fc6b:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2FF6D25F-C546-4C37-B01E-E71BD2AF09EB",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:idec:microsmart_plus_fc6a_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "01FFD59B-27E0-4D27-A339-FE78D7407C02",
"versionEndIncluding": "1.91",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:idec:microsmart_plus_fc6a:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6CFD58FF-AAE9-47F8-971C-442E2E8C4499",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:idec:microsmart_fc6b_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "24BEE40B-C239-4A38-B9EE-0AAD7699D53E",
"versionEndIncluding": "2.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:idec:microsmart_fc6b:-:*:*:*:*:*:*:*",
"matchCriteriaId": "051DFC18-8576-40AF-96A0-2434230234F4",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:idec:microsmart_fc6a_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "59A9BAF0-7AFD-4918-81E2-6949B71E4208",
"versionEndIncluding": "2.32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:idec:microsmart_fc6a:-:*:*:*:*:*:*:*",
"matchCriteriaId": "892DE7A7-7D54-4EE5-97B7-2B8A0B190DFB",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:idec:ft1a_smartaxix_pro_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7F546B0A-0B08-4B79-87A8-1286F334339E",
"versionEndIncluding": "2.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:idec:ft1a_smartaxix_pro:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B13D383E-A48F-4C5A-B592-3356523FEEB1",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:idec:ft1a_smartaxix_lite_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "401ED91B-67F5-4319-8B66-C028B1AB09A6",
"versionEndIncluding": "2.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:idec:ft1a_smartaxix_lite:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2FA6299D-C20C-4C04-B6F1-CE3DE1167770",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded."
},
{
"lang": "es",
"value": "Un atacante puede obtener las credenciales de usuario de la comunicaci\u00f3n entre el PLC y el software. Como resultado, el programa de usuario del PLC puede ser cargado, alterado y/o descargado"
}
],
"id": "CVE-2021-37400",
"lastModified": "2024-11-21T06:15:05.053",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-12-28T13:15:08.207",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/vu/JVNVU92279973/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/vu/JVNVU92279973/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-37401
Vulnerability from fkie_nvd - Published: 2021-12-28 13:15 - Updated: 2024-11-21 06:15
Severity ?
Summary
An attacker may obtain the user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the PLC user program may be uploaded, altered, and/or downloaded.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:idec:data_file_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5E7A2720-6B29-4BD1-B85B-293850D804A8",
"versionEndIncluding": "2.12.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:idec:windedit:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FA314D4B-B187-4238-B341-E2B9F94EBEBA",
"versionEndIncluding": "1.3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:idec:windldr:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7ED0922F-93CB-41B3-A468-44845F428945",
"versionEndIncluding": "8.19.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:idec:microsmart_plus_fc6b_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "950DD61E-60D8-4102-A18F-18A4706DE647",
"versionEndIncluding": "2.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:idec:microsmart_plus_fc6b:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2FF6D25F-C546-4C37-B01E-E71BD2AF09EB",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:idec:microsmart_plus_fc6a_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "01FFD59B-27E0-4D27-A339-FE78D7407C02",
"versionEndIncluding": "1.91",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:idec:microsmart_plus_fc6a:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6CFD58FF-AAE9-47F8-971C-442E2E8C4499",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:idec:microsmart_fc6b_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "24BEE40B-C239-4A38-B9EE-0AAD7699D53E",
"versionEndIncluding": "2.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:idec:microsmart_fc6b:-:*:*:*:*:*:*:*",
"matchCriteriaId": "051DFC18-8576-40AF-96A0-2434230234F4",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:idec:microsmart_fc6a_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "59A9BAF0-7AFD-4918-81E2-6949B71E4208",
"versionEndIncluding": "2.32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:idec:microsmart_fc6a:-:*:*:*:*:*:*:*",
"matchCriteriaId": "892DE7A7-7D54-4EE5-97B7-2B8A0B190DFB",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:idec:ft1a_smartaxix_pro_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7F546B0A-0B08-4B79-87A8-1286F334339E",
"versionEndIncluding": "2.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:idec:ft1a_smartaxix_pro:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B13D383E-A48F-4C5A-B592-3356523FEEB1",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:idec:ft1a_smartaxix_lite_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "401ED91B-67F5-4319-8B66-C028B1AB09A6",
"versionEndIncluding": "2.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:idec:ft1a_smartaxix_lite:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2FA6299D-C20C-4C04-B6F1-CE3DE1167770",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An attacker may obtain the user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the PLC user program may be uploaded, altered, and/or downloaded."
},
{
"lang": "es",
"value": "Un atacante puede obtener las credenciales de usuario de servidores de archivos, repositorios de copias de seguridad o archivos ZLD guardados en tarjetas SD. Como resultado, el programa de usuario del PLC puede ser cargado, alterado y/o descargado"
}
],
"id": "CVE-2021-37401",
"lastModified": "2024-11-21T06:15:05.230",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-12-28T13:15:08.267",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/vu/JVNVU92279973/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/vu/JVNVU92279973/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-20826
Vulnerability from fkie_nvd - Published: 2021-12-24 07:15 - Updated: 2024-11-21 05:47
Severity ?
Summary
Unprotected transport of credentials vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from the communication between the PLC and the software. As a result, the complete access privileges to the PLC Web server may be obtained, and manipulation of the PLC output and/or suspension of the PLC may be conducted.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | https://jvn.jp/en/vu/JVNVU92279973/index.html | Third Party Advisory | |
| vultures@jpcert.or.jp | https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jvn.jp/en/vu/JVNVU92279973/index.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| idec | microsmart_fc6a_firmware | * | |
| idec | microsmart_fc6a | - | |
| idec | microsmart_plus_fc6a_firmware | * | |
| idec | microsmart_plus_fc6a | - | |
| idec | data_file_manager | * | |
| idec | windedit | * | |
| idec | windldr | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:idec:microsmart_fc6a_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "59A9BAF0-7AFD-4918-81E2-6949B71E4208",
"versionEndIncluding": "2.32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:idec:microsmart_fc6a:-:*:*:*:*:*:*:*",
"matchCriteriaId": "892DE7A7-7D54-4EE5-97B7-2B8A0B190DFB",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:idec:microsmart_plus_fc6a_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "01FFD59B-27E0-4D27-A339-FE78D7407C02",
"versionEndIncluding": "1.91",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:idec:microsmart_plus_fc6a:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6CFD58FF-AAE9-47F8-971C-442E2E8C4499",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:idec:data_file_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5E7A2720-6B29-4BD1-B85B-293850D804A8",
"versionEndIncluding": "2.12.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:idec:windedit:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FA314D4B-B187-4238-B341-E2B9F94EBEBA",
"versionEndIncluding": "1.3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:idec:windldr:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7ED0922F-93CB-41B3-A468-44845F428945",
"versionEndIncluding": "8.19.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unprotected transport of credentials vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from the communication between the PLC and the software. As a result, the complete access privileges to the PLC Web server may be obtained, and manipulation of the PLC output and/or suspension of the PLC may be conducted."
},
{
"lang": "es",
"value": "Una vulnerabilidad de transporte de credenciales sin protecci\u00f3n en los PLC de IDEC (m\u00f3dulo de CPU MICROSmart All-in-One de la serie FC6A versiones v2.32 y anteriores, m\u00f3dulo de CPU MICROSmart Plus de la serie FC6A versiones v1.91 y anteriores, WindLDR versiones 8.19.1 y anteriores, WindEDIT Lite versiones v1.3.1 y anteriores, y Data File Manager versiones v2.12.1 y anteriores) permite a un atacante obtener las credenciales de usuario del servidor web del PLC a partir de la comunicaci\u00f3n entre el PLC y el software. Como resultado, pueden obtenerse los privilegios de acceso completo al servidor web del PLC, y es posible manipular la salida del PLC y/o suspenderlo"
}
],
"id": "CVE-2021-20826",
"lastModified": "2024-11-21T05:47:14.313",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-12-24T07:15:06.510",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/vu/JVNVU92279973/index.html"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Vendor Advisory"
],
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/vu/JVNVU92279973/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-20827
Vulnerability from fkie_nvd - Published: 2021-12-24 07:15 - Updated: 2024-11-21 05:47
Severity ?
Summary
Plaintext storage of a password vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the attacker may access the PLC Web server and hijack the PLC, and manipulation of the PLC output and/or suspension of the PLC may be conducted.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | https://jvn.jp/en/vu/JVNVU92279973/index.html | Third Party Advisory | |
| vultures@jpcert.or.jp | https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jvn.jp/en/vu/JVNVU92279973/index.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| idec | microsmart_fc6a_firmware | * | |
| idec | microsmart_fc6a | - | |
| idec | microsmart_plus_fc6a_firmware | * | |
| idec | microsmart_plus_fc6a | - | |
| idec | data_file_manager | * | |
| idec | windedit | * | |
| idec | windldr | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:idec:microsmart_fc6a_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "59A9BAF0-7AFD-4918-81E2-6949B71E4208",
"versionEndIncluding": "2.32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:idec:microsmart_fc6a:-:*:*:*:*:*:*:*",
"matchCriteriaId": "892DE7A7-7D54-4EE5-97B7-2B8A0B190DFB",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:idec:microsmart_plus_fc6a_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "01FFD59B-27E0-4D27-A339-FE78D7407C02",
"versionEndIncluding": "1.91",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:idec:microsmart_plus_fc6a:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6CFD58FF-AAE9-47F8-971C-442E2E8C4499",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:idec:data_file_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5E7A2720-6B29-4BD1-B85B-293850D804A8",
"versionEndIncluding": "2.12.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:idec:windedit:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FA314D4B-B187-4238-B341-E2B9F94EBEBA",
"versionEndIncluding": "1.3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:idec:windldr:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7ED0922F-93CB-41B3-A468-44845F428945",
"versionEndIncluding": "8.19.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Plaintext storage of a password vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the attacker may access the PLC Web server and hijack the PLC, and manipulation of the PLC output and/or suspension of the PLC may be conducted."
},
{
"lang": "es",
"value": "Una vulnerabilidad de almacenamiento de texto plano de una contrase\u00f1a en los PLC de IDEC (m\u00f3dulo de CPU MICROSmart All-in-One de la serie FC6A versiones v2.32 y anteriores, m\u00f3dulo de CPU MICROSmart Plus de la serie FC6A versiones v1.91 y anteriores, WindLDR versiones v8.19.1 y anteriores, WindEDIT Lite versiones v1.3.1 y anteriores, y Data File Manager versiones v2.12.1 y anteriores) permite a un atacante obtener las credenciales de usuario del servidor web del PLC desde servidores de archivos, repositorios de copias de seguridad o archivos ZLD guardados en tarjetas SD. Como resultado, el atacante puede acceder al servidor web del PLC y secuestrar el PLC, pudiendo manipular la salida del PLC y/o suspenderlo"
}
],
"id": "CVE-2021-20827",
"lastModified": "2024-11-21T05:47:14.427",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-12-24T07:15:06.653",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/vu/JVNVU92279973/index.html"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Vendor Advisory"
],
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/vu/JVNVU92279973/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-312"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-41716 (GCVE-0-2024-41716)
Vulnerability from cvelistv5 – Published: 2024-09-04 00:34 – Updated: 2025-03-13 14:15
VLAI?
Summary
Cleartext storage of sensitive information vulnerability exists in WindLDR and WindO/I-NV4. If this vulnerability is exploited, an attacker who obtained the product's project file may obtain user credentials of the PLC or Operator Interfaces. As a result, an attacker may be able to manipulate and/or suspend the PLC and Operator Interfaces by accessing or hijacking them.
Severity ?
8.1 (High)
CWE
- Cleartext storage of sensitive information
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IDEC Corporation | WindLDR |
Affected:
Ver.9.1.0 and earlier
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-41716",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T13:58:55.637135Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T14:15:40.744Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WindLDR",
"vendor": "IDEC Corporation",
"versions": [
{
"status": "affected",
"version": "Ver.9.1.0 and earlier"
}
]
},
{
"product": "WindO/I-NV4",
"vendor": "IDEC Corporation",
"versions": [
{
"status": "affected",
"version": "Ver.3.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cleartext storage of sensitive information vulnerability exists in WindLDR and WindO/I-NV4. If this vulnerability is exploited, an attacker who obtained the product\u0027s project file may obtain user credentials of the PLC or Operator Interfaces. As a result, an attacker may be able to manipulate and/or suspend the PLC and Operator Interfaces by accessing or hijacking them."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cleartext storage of sensitive information",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T00:34:12.610Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://us.idec.com/media/24-RD-0219-EN.pdf"
},
{
"url": "https://jvn.jp/en/jp/JVN08342147/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-41716",
"datePublished": "2024-09-04T00:34:12.610Z",
"dateReserved": "2024-08-01T01:18:08.236Z",
"dateUpdated": "2025-03-13T14:15:40.744Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-37400 (GCVE-0-2021-37400)
Vulnerability from cvelistv5 – Published: 2021-12-28 12:09 – Updated: 2024-08-04 01:16
VLAI?
Summary
An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:16:04.056Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU92279973/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-28T12:15:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/vu/JVNVU92279973/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-37400",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A",
"refsource": "MISC",
"url": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A"
},
{
"name": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer",
"refsource": "MISC",
"url": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer"
},
{
"name": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf",
"refsource": "MISC",
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
},
{
"name": "https://jvn.jp/en/vu/JVNVU92279973/",
"refsource": "MISC",
"url": "https://jvn.jp/en/vu/JVNVU92279973/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-37400",
"datePublished": "2021-12-28T12:09:59",
"dateReserved": "2021-07-21T00:00:00",
"dateUpdated": "2024-08-04T01:16:04.056Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-37401 (GCVE-0-2021-37401)
Vulnerability from cvelistv5 – Published: 2021-12-28 12:09 – Updated: 2024-08-04 01:16
VLAI?
Summary
An attacker may obtain the user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the PLC user program may be uploaded, altered, and/or downloaded.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:16:03.966Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU92279973/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An attacker may obtain the user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the PLC user program may be uploaded, altered, and/or downloaded."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-28T12:16:24",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/vu/JVNVU92279973/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-37401",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An attacker may obtain the user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the PLC user program may be uploaded, altered, and/or downloaded."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A",
"refsource": "MISC",
"url": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A"
},
{
"name": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer",
"refsource": "MISC",
"url": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer"
},
{
"name": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf",
"refsource": "MISC",
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
},
{
"name": "https://jvn.jp/en/vu/JVNVU92279973/",
"refsource": "MISC",
"url": "https://jvn.jp/en/vu/JVNVU92279973/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-37401",
"datePublished": "2021-12-28T12:09:52",
"dateReserved": "2021-07-21T00:00:00",
"dateUpdated": "2024-08-04T01:16:03.966Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20827 (GCVE-0-2021-20827)
Vulnerability from cvelistv5 – Published: 2021-12-24 06:30 – Updated: 2024-08-03 17:53
VLAI?
Summary
Plaintext storage of a password vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the attacker may access the PLC Web server and hijack the PLC, and manipulation of the PLC output and/or suspension of the PLC may be conducted.
Severity ?
No CVSS data available.
CWE
- Plaintext storage of a password
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IDEC Corporation | IDEC PLC |
Affected:
FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:22.806Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU92279973/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "IDEC PLC",
"vendor": "IDEC Corporation",
"versions": [
{
"status": "affected",
"version": "FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Plaintext storage of a password vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the attacker may access the PLC Web server and hijack the PLC, and manipulation of the PLC output and/or suspension of the PLC may be conducted."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Plaintext storage of a password",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-24T06:30:27",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/vu/JVNVU92279973/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20827",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "IDEC PLC",
"version": {
"version_data": [
{
"version_value": "FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier"
}
]
}
}
]
},
"vendor_name": "IDEC Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Plaintext storage of a password vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the attacker may access the PLC Web server and hijack the PLC, and manipulation of the PLC output and/or suspension of the PLC may be conducted."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Plaintext storage of a password"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf",
"refsource": "MISC",
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
},
{
"name": "https://jvn.jp/en/vu/JVNVU92279973/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/vu/JVNVU92279973/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20827",
"datePublished": "2021-12-24T06:30:27",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:53:22.806Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20826 (GCVE-0-2021-20826)
Vulnerability from cvelistv5 – Published: 2021-12-24 06:30 – Updated: 2024-08-03 17:53
VLAI?
Summary
Unprotected transport of credentials vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from the communication between the PLC and the software. As a result, the complete access privileges to the PLC Web server may be obtained, and manipulation of the PLC output and/or suspension of the PLC may be conducted.
Severity ?
No CVSS data available.
CWE
- Unprotected transport of credentials
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IDEC Corporation | IDEC PLC |
Affected:
FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:22.508Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU92279973/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "IDEC PLC",
"vendor": "IDEC Corporation",
"versions": [
{
"status": "affected",
"version": "FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Unprotected transport of credentials vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from the communication between the PLC and the software. As a result, the complete access privileges to the PLC Web server may be obtained, and manipulation of the PLC output and/or suspension of the PLC may be conducted."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Unprotected transport of credentials",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-24T06:30:26",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/vu/JVNVU92279973/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20826",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "IDEC PLC",
"version": {
"version_data": [
{
"version_value": "FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier"
}
]
}
}
]
},
"vendor_name": "IDEC Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unprotected transport of credentials vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from the communication between the PLC and the software. As a result, the complete access privileges to the PLC Web server may be obtained, and manipulation of the PLC output and/or suspension of the PLC may be conducted."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Unprotected transport of credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf",
"refsource": "MISC",
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
},
{
"name": "https://jvn.jp/en/vu/JVNVU92279973/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/vu/JVNVU92279973/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20826",
"datePublished": "2021-12-24T06:30:26",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:53:22.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41716 (GCVE-0-2024-41716)
Vulnerability from nvd – Published: 2024-09-04 00:34 – Updated: 2025-03-13 14:15
VLAI?
Summary
Cleartext storage of sensitive information vulnerability exists in WindLDR and WindO/I-NV4. If this vulnerability is exploited, an attacker who obtained the product's project file may obtain user credentials of the PLC or Operator Interfaces. As a result, an attacker may be able to manipulate and/or suspend the PLC and Operator Interfaces by accessing or hijacking them.
Severity ?
8.1 (High)
CWE
- Cleartext storage of sensitive information
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IDEC Corporation | WindLDR |
Affected:
Ver.9.1.0 and earlier
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-41716",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T13:58:55.637135Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T14:15:40.744Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WindLDR",
"vendor": "IDEC Corporation",
"versions": [
{
"status": "affected",
"version": "Ver.9.1.0 and earlier"
}
]
},
{
"product": "WindO/I-NV4",
"vendor": "IDEC Corporation",
"versions": [
{
"status": "affected",
"version": "Ver.3.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cleartext storage of sensitive information vulnerability exists in WindLDR and WindO/I-NV4. If this vulnerability is exploited, an attacker who obtained the product\u0027s project file may obtain user credentials of the PLC or Operator Interfaces. As a result, an attacker may be able to manipulate and/or suspend the PLC and Operator Interfaces by accessing or hijacking them."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cleartext storage of sensitive information",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T00:34:12.610Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://us.idec.com/media/24-RD-0219-EN.pdf"
},
{
"url": "https://jvn.jp/en/jp/JVN08342147/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-41716",
"datePublished": "2024-09-04T00:34:12.610Z",
"dateReserved": "2024-08-01T01:18:08.236Z",
"dateUpdated": "2025-03-13T14:15:40.744Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-37400 (GCVE-0-2021-37400)
Vulnerability from nvd – Published: 2021-12-28 12:09 – Updated: 2024-08-04 01:16
VLAI?
Summary
An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:16:04.056Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU92279973/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-28T12:15:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/vu/JVNVU92279973/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-37400",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A",
"refsource": "MISC",
"url": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A"
},
{
"name": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer",
"refsource": "MISC",
"url": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer"
},
{
"name": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf",
"refsource": "MISC",
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
},
{
"name": "https://jvn.jp/en/vu/JVNVU92279973/",
"refsource": "MISC",
"url": "https://jvn.jp/en/vu/JVNVU92279973/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-37400",
"datePublished": "2021-12-28T12:09:59",
"dateReserved": "2021-07-21T00:00:00",
"dateUpdated": "2024-08-04T01:16:04.056Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-37401 (GCVE-0-2021-37401)
Vulnerability from nvd – Published: 2021-12-28 12:09 – Updated: 2024-08-04 01:16
VLAI?
Summary
An attacker may obtain the user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the PLC user program may be uploaded, altered, and/or downloaded.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:16:03.966Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU92279973/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An attacker may obtain the user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the PLC user program may be uploaded, altered, and/or downloaded."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-28T12:16:24",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/vu/JVNVU92279973/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-37401",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An attacker may obtain the user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the PLC user program may be uploaded, altered, and/or downloaded."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A",
"refsource": "MISC",
"url": "https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A"
},
{
"name": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer",
"refsource": "MISC",
"url": "https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer"
},
{
"name": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf",
"refsource": "MISC",
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
},
{
"name": "https://jvn.jp/en/vu/JVNVU92279973/",
"refsource": "MISC",
"url": "https://jvn.jp/en/vu/JVNVU92279973/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-37401",
"datePublished": "2021-12-28T12:09:52",
"dateReserved": "2021-07-21T00:00:00",
"dateUpdated": "2024-08-04T01:16:03.966Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20827 (GCVE-0-2021-20827)
Vulnerability from nvd – Published: 2021-12-24 06:30 – Updated: 2024-08-03 17:53
VLAI?
Summary
Plaintext storage of a password vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the attacker may access the PLC Web server and hijack the PLC, and manipulation of the PLC output and/or suspension of the PLC may be conducted.
Severity ?
No CVSS data available.
CWE
- Plaintext storage of a password
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IDEC Corporation | IDEC PLC |
Affected:
FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:22.806Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU92279973/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "IDEC PLC",
"vendor": "IDEC Corporation",
"versions": [
{
"status": "affected",
"version": "FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Plaintext storage of a password vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the attacker may access the PLC Web server and hijack the PLC, and manipulation of the PLC output and/or suspension of the PLC may be conducted."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Plaintext storage of a password",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-24T06:30:27",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/vu/JVNVU92279973/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20827",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "IDEC PLC",
"version": {
"version_data": [
{
"version_value": "FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier"
}
]
}
}
]
},
"vendor_name": "IDEC Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Plaintext storage of a password vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the attacker may access the PLC Web server and hijack the PLC, and manipulation of the PLC output and/or suspension of the PLC may be conducted."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Plaintext storage of a password"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf",
"refsource": "MISC",
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
},
{
"name": "https://jvn.jp/en/vu/JVNVU92279973/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/vu/JVNVU92279973/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20827",
"datePublished": "2021-12-24T06:30:27",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:53:22.806Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20826 (GCVE-0-2021-20826)
Vulnerability from nvd – Published: 2021-12-24 06:30 – Updated: 2024-08-03 17:53
VLAI?
Summary
Unprotected transport of credentials vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from the communication between the PLC and the software. As a result, the complete access privileges to the PLC Web server may be obtained, and manipulation of the PLC output and/or suspension of the PLC may be conducted.
Severity ?
No CVSS data available.
CWE
- Unprotected transport of credentials
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IDEC Corporation | IDEC PLC |
Affected:
FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:22.508Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/vu/JVNVU92279973/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "IDEC PLC",
"vendor": "IDEC Corporation",
"versions": [
{
"status": "affected",
"version": "FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Unprotected transport of credentials vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from the communication between the PLC and the software. As a result, the complete access privileges to the PLC Web server may be obtained, and manipulation of the PLC output and/or suspension of the PLC may be conducted."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Unprotected transport of credentials",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-24T06:30:26",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/vu/JVNVU92279973/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20826",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "IDEC PLC",
"version": {
"version_data": [
{
"version_value": "FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier"
}
]
}
}
]
},
"vendor_name": "IDEC Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unprotected transport of credentials vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from the communication between the PLC and the software. As a result, the complete access privileges to the PLC Web server may be obtained, and manipulation of the PLC output and/or suspension of the PLC may be conducted."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Unprotected transport of credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf",
"refsource": "MISC",
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
},
{
"name": "https://jvn.jp/en/vu/JVNVU92279973/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/vu/JVNVU92279973/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20826",
"datePublished": "2021-12-24T06:30:26",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:53:22.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
VAR-202112-2026
Vulnerability from variot - Updated: 2023-12-18 12:26An attacker may obtain the user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the PLC user program may be uploaded, altered, and/or downloaded. IDEC Provided by Co., Ltd. PLC The following multiple vulnerabilities exist in. * Sending unprotected credentials ( CWE-523 ) - CVE-2021-37400 ‥ * Plaintext storage of authentication information ( CWE-256 ) - CVE-2021-374010 ‥ * Sending unprotected credentials ( CWE-523 ) - CVE-2021-20826 ‥ * Plaintext storage of authentication information ( CWE-256 ) - CVE-2021-20827 This vulnerability information is reported directly to the product developer by the following reporter, and is provided by the product developer. JPCERT/CC There is an adjustment request in JPCERT/CC Is a reporter, product developer, ICS-CERT We made adjustments with and announced it. Reporter : FM Approvals Khalid Ansari MrThe expected impact depends on each vulnerability, but it may be affected as follows. * By a third party PLC User authentication information is obtained from the communication between the software and the software. ZLD From the file, the user's credentials are obtained by a third party. - CVE-2021-37401 ‥ * By a third party PLC From communication between software and PLC Web The server user's authentication information is acquired. as a result, PLC Web Deprived of full access to the server, PLC The output of PLC Is stopped - CVE-2021-20826 ‥ * File server, backup repository, SD Saved on a card etc. ZLD From the file, by a third party PLC Web The server user's authentication information is acquired. as a result, PLC Web Connect to the server and PLC By being hijacked PLC The output of PLC Is stopped - CVE-2021-20827 ‥ * Data file manager v2.13.0 And later. IDEC PLC is a programmable controller
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202112-2026",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "microsmart fc6a",
"scope": "lte",
"trust": 1.0,
"vendor": "idec",
"version": "2.32"
},
{
"model": "windedit",
"scope": "lte",
"trust": 1.0,
"vendor": "idec",
"version": "1.3.1"
},
{
"model": "ft1a smartaxix lite",
"scope": "lte",
"trust": 1.0,
"vendor": "idec",
"version": "2.31"
},
{
"model": "microsmart fc6b",
"scope": "lte",
"trust": 1.0,
"vendor": "idec",
"version": "2.31"
},
{
"model": "microsmart plus fc6a",
"scope": "lte",
"trust": 1.0,
"vendor": "idec",
"version": "1.91"
},
{
"model": "data file manager",
"scope": "lte",
"trust": 1.0,
"vendor": "idec",
"version": "2.12.1"
},
{
"model": "windldr",
"scope": "lte",
"trust": 1.0,
"vendor": "idec",
"version": "8.19.1"
},
{
"model": "microsmart plus fc6b",
"scope": "lte",
"trust": 1.0,
"vendor": "idec",
"version": "2.31"
},
{
"model": "ft1a smartaxix pro",
"scope": "lte",
"trust": 1.0,
"vendor": "idec",
"version": "2.31"
},
{
"model": "ft1a \u5f62 \u30b3\u30f3\u30c8\u30ed\u30fc\u30e9 smartaxis pro/lite",
"scope": null,
"trust": 0.8,
"vendor": "idec\u682a\u5f0f\u4f1a\u793e",
"version": null
},
{
"model": "fc6a \u5f62 microsmart all-in-one cpu \u30e2\u30b8\u30e5\u30fc\u30eb",
"scope": null,
"trust": 0.8,
"vendor": "idec\u682a\u5f0f\u4f1a\u793e",
"version": null
},
{
"model": "fc6a \u5f62 microsmart plus cpu \u30e2\u30b8\u30e5\u30fc\u30eb",
"scope": null,
"trust": 0.8,
"vendor": "idec\u682a\u5f0f\u4f1a\u793e",
"version": null
},
{
"model": "fc6b \u5f62 microsmart plus cpu \u30e2\u30b8\u30e5\u30fc\u30eb",
"scope": null,
"trust": 0.8,
"vendor": "idec\u682a\u5f0f\u4f1a\u793e",
"version": null
},
{
"model": "windldr",
"scope": null,
"trust": 0.8,
"vendor": "idec\u682a\u5f0f\u4f1a\u793e",
"version": null
},
{
"model": "windedit lite",
"scope": null,
"trust": 0.8,
"vendor": "idec\u682a\u5f0f\u4f1a\u793e",
"version": null
},
{
"model": "\u30c7\u30fc\u30bf \u30d5\u30a1\u30a4\u30eb \u30de\u30cd\u30fc\u30b8\u30e3\u30fc",
"scope": null,
"trust": 0.8,
"vendor": "idec\u682a\u5f0f\u4f1a\u793e",
"version": null
},
{
"model": "fc6b \u5f62 microsmart all-in-one cpu \u30e2\u30b8\u30e5\u30fc\u30eb",
"scope": null,
"trust": 0.8,
"vendor": "idec\u682a\u5f0f\u4f1a\u793e",
"version": null
},
{
"model": "plc",
"scope": null,
"trust": 0.6,
"vendor": "idec",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-02761"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006117"
},
{
"db": "NVD",
"id": "CVE-2021-37401"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:idec:data_file_manager:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.12.1",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:idec:windedit:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.3.1",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:idec:windldr:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "8.19.1",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:idec:microsmart_plus_fc6b_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.31",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:idec:microsmart_plus_fc6b:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:idec:microsmart_plus_fc6a_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.91",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:idec:microsmart_plus_fc6a:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:idec:microsmart_fc6b_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.31",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:idec:microsmart_fc6b:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:idec:microsmart_fc6a_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.32",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:idec:microsmart_fc6a:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:idec:ft1a_smartaxix_pro_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.31",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:idec:ft1a_smartaxix_pro:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:idec:ft1a_smartaxix_lite_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.31",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:idec:ft1a_smartaxix_lite:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-37401"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Khalid Ansari of FM Approvals reported these vulnerabilities to IDEC Corporation.",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202112-2603"
}
],
"trust": 0.6
},
"cve": "CVE-2021-37401",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2022-02761",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULMON",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2021-37401",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "HIGH",
"trust": 0.1,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Adjacent Network",
"author": "OTHER",
"availabilityImpact": "Low",
"baseScore": 7.6,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2021-006117",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2021-37401",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "OTHER",
"id": "JVNDB-2021-006117",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2022-02761",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202112-2603",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULMON",
"id": "CVE-2021-37401",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-02761"
},
{
"db": "VULMON",
"id": "CVE-2021-37401"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006117"
},
{
"db": "NVD",
"id": "CVE-2021-37401"
},
{
"db": "CNNVD",
"id": "CNNVD-202112-2603"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An attacker may obtain the user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the PLC user program may be uploaded, altered, and/or downloaded. IDEC Provided by Co., Ltd. PLC The following multiple vulnerabilities exist in. * Sending unprotected credentials ( CWE-523 ) - CVE-2021-37400 \u2025 * Plaintext storage of authentication information ( CWE-256 ) - CVE-2021-374010 \u2025 * Sending unprotected credentials ( CWE-523 ) - CVE-2021-20826 \u2025 * Plaintext storage of authentication information ( CWE-256 ) - CVE-2021-20827 This vulnerability information is reported directly to the product developer by the following reporter, and is provided by the product developer. JPCERT/CC There is an adjustment request in JPCERT/CC Is a reporter, product developer, ICS-CERT We made adjustments with and announced it. Reporter : FM Approvals Khalid Ansari MrThe expected impact depends on each vulnerability, but it may be affected as follows. * By a third party PLC User authentication information is obtained from the communication between the software and the software. ZLD From the file, the user\u0027s credentials are obtained by a third party. - CVE-2021-37401 \u2025 * By a third party PLC From communication between software and PLC Web The server user\u0027s authentication information is acquired. as a result, PLC Web Deprived of full access to the server, PLC The output of PLC Is stopped - CVE-2021-20826 \u2025 * File server, backup repository, SD Saved on a card etc. ZLD From the file, by a third party PLC Web The server user\u0027s authentication information is acquired. as a result, PLC Web Connect to the server and PLC By being hijacked PLC The output of PLC Is stopped - CVE-2021-20827 \u2025 * Data file manager v2.13.0 And later. IDEC PLC is a programmable controller",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-37401"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006117"
},
{
"db": "CNVD",
"id": "CNVD-2022-02761"
},
{
"db": "VULMON",
"id": "CVE-2021-37401"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-37401",
"trust": 3.1
},
{
"db": "JVN",
"id": "JVNVU92279973",
"trust": 2.5
},
{
"db": "ICS CERT",
"id": "ICSA-22-006-03",
"trust": 1.4
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006117",
"trust": 1.4
},
{
"db": "CNVD",
"id": "CNVD-2022-02761",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022010709",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.0083",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202112-2603",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2021-37401",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-02761"
},
{
"db": "VULMON",
"id": "CVE-2021-37401"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006117"
},
{
"db": "NVD",
"id": "CVE-2021-37401"
},
{
"db": "CNNVD",
"id": "CNNVD-202112-2603"
}
]
},
"id": "VAR-202112-2026",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-02761"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-02761"
}
]
},
"last_update_date": "2023-12-18T12:26:30.489000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Our company \u00a0PLC\u00a0 Contact regarding the vulnerability of",
"trust": 0.8,
"url": "https://support.quest.com/ja-jp/kb/288310/cert-coordination-center-report-update"
},
{
"title": "Patch for Unknown Vulnerability in IDEC PLC (CNVD-2022-02761)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/313186"
},
{
"title": "IDEC PLC Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=176482"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-02761"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006117"
},
{
"db": "CNNVD",
"id": "CNNVD-202112-2603"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-522",
"trust": 1.0
},
{
"problemtype": "Plaintext storage of credentials (CWE-256) [ Other ]",
"trust": 0.8
},
{
"problemtype": " Unprotected transfer of credentials (CWE-523) [ Other ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-006117"
},
{
"db": "NVD",
"id": "CVE-2021-37401"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "https://us.idec.com/idec-us/en/usd/software-downloads-automation-organizer"
},
{
"trust": 1.7,
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-plc.pdf"
},
{
"trust": 1.7,
"url": "https://us.idec.com/idec-us/en/usd/programmable-logic-controller/micro-plc/fc6a-microsmart/c/microsmart_fc6a"
},
{
"trust": 1.7,
"url": "https://jvn.jp/en/vu/jvnvu92279973/"
},
{
"trust": 0.8,
"url": "http://jvn.jp/cert/jvnvu92279973/"
},
{
"trust": 0.8,
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-006-03"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-37401"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022010709"
},
{
"trust": 0.6,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-006-03"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.0083"
},
{
"trust": 0.6,
"url": "https://jvndb.jvn.jp/en/contents/2021/jvndb-2021-006117.html"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/522.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-02761"
},
{
"db": "VULMON",
"id": "CVE-2021-37401"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006117"
},
{
"db": "NVD",
"id": "CVE-2021-37401"
},
{
"db": "CNNVD",
"id": "CNNVD-202112-2603"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2022-02761"
},
{
"db": "VULMON",
"id": "CVE-2021-37401"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006117"
},
{
"db": "NVD",
"id": "CVE-2021-37401"
},
{
"db": "CNNVD",
"id": "CNNVD-202112-2603"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-12T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-02761"
},
{
"date": "2021-12-28T00:00:00",
"db": "VULMON",
"id": "CVE-2021-37401"
},
{
"date": "2021-12-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-006117"
},
{
"date": "2021-12-28T13:15:08.267000",
"db": "NVD",
"id": "CVE-2021-37401"
},
{
"date": "2021-12-24T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202112-2603"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-18T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-02761"
},
{
"date": "2022-01-07T00:00:00",
"db": "VULMON",
"id": "CVE-2021-37401"
},
{
"date": "2022-01-11T07:34:00",
"db": "JVNDB",
"id": "JVNDB-2021-006117"
},
{
"date": "2022-01-07T20:29:50.673000",
"db": "NVD",
"id": "CVE-2021-37401"
},
{
"date": "2022-01-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202112-2603"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202112-2603"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "IDEC\u00a0 Made \u00a0PLC\u00a0 Multiple vulnerabilities in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-006117"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202112-2603"
}
],
"trust": 0.6
}
}
VAR-202112-2027
Vulnerability from variot - Updated: 2023-12-18 12:26An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded. IDEC Provided by Co., Ltd. PLC The following multiple vulnerabilities exist in. * Sending unprotected credentials ( CWE-523 ) - CVE-2021-37400 ‥ * Plaintext storage of authentication information ( CWE-256 ) - CVE-2021-374010 ‥ * Sending unprotected credentials ( CWE-523 ) - CVE-2021-20826 ‥ * Plaintext storage of authentication information ( CWE-256 ) - CVE-2021-20827 This vulnerability information is reported directly to the product developer by the following reporter, and is provided by the product developer. JPCERT/CC There is an adjustment request in JPCERT/CC Is a reporter, product developer, ICS-CERT We made adjustments with and announced it. Reporter : FM Approvals Khalid Ansari MrThe expected impact depends on each vulnerability, but it may be affected as follows. - CVE-2021-37400 ‥ * File server, backup repository, SD Saved on a card etc. ZLD From the file, the user's credentials are obtained by a third party. as a result, PLC Web Deprived of full access to the server, PLC The output of PLC Is stopped - CVE-2021-20826 ‥ * File server, backup repository, SD Saved on a card etc. ZLD From the file, by a third party PLC Web The server user's authentication information is acquired. as a result, PLC Web Connect to the server and PLC By being hijacked PLC The output of PLC Is stopped - CVE-2021-20827 ‥ * Data file manager v2.13.0 And later. IDEC PLC is a programmable controller
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202112-2027",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "microsmart fc6a",
"scope": "lte",
"trust": 1.0,
"vendor": "idec",
"version": "2.32"
},
{
"model": "windedit",
"scope": "lte",
"trust": 1.0,
"vendor": "idec",
"version": "1.3.1"
},
{
"model": "ft1a smartaxix lite",
"scope": "lte",
"trust": 1.0,
"vendor": "idec",
"version": "2.31"
},
{
"model": "microsmart fc6b",
"scope": "lte",
"trust": 1.0,
"vendor": "idec",
"version": "2.31"
},
{
"model": "microsmart plus fc6a",
"scope": "lte",
"trust": 1.0,
"vendor": "idec",
"version": "1.91"
},
{
"model": "data file manager",
"scope": "lte",
"trust": 1.0,
"vendor": "idec",
"version": "2.12.1"
},
{
"model": "windldr",
"scope": "lte",
"trust": 1.0,
"vendor": "idec",
"version": "8.19.1"
},
{
"model": "microsmart plus fc6b",
"scope": "lte",
"trust": 1.0,
"vendor": "idec",
"version": "2.31"
},
{
"model": "ft1a smartaxix pro",
"scope": "lte",
"trust": 1.0,
"vendor": "idec",
"version": "2.31"
},
{
"model": "ft1a \u5f62 \u30b3\u30f3\u30c8\u30ed\u30fc\u30e9 smartaxis pro/lite",
"scope": null,
"trust": 0.8,
"vendor": "idec\u682a\u5f0f\u4f1a\u793e",
"version": null
},
{
"model": "fc6a \u5f62 microsmart all-in-one cpu \u30e2\u30b8\u30e5\u30fc\u30eb",
"scope": null,
"trust": 0.8,
"vendor": "idec\u682a\u5f0f\u4f1a\u793e",
"version": null
},
{
"model": "fc6a \u5f62 microsmart plus cpu \u30e2\u30b8\u30e5\u30fc\u30eb",
"scope": null,
"trust": 0.8,
"vendor": "idec\u682a\u5f0f\u4f1a\u793e",
"version": null
},
{
"model": "fc6b \u5f62 microsmart plus cpu \u30e2\u30b8\u30e5\u30fc\u30eb",
"scope": null,
"trust": 0.8,
"vendor": "idec\u682a\u5f0f\u4f1a\u793e",
"version": null
},
{
"model": "windldr",
"scope": null,
"trust": 0.8,
"vendor": "idec\u682a\u5f0f\u4f1a\u793e",
"version": null
},
{
"model": "windedit lite",
"scope": null,
"trust": 0.8,
"vendor": "idec\u682a\u5f0f\u4f1a\u793e",
"version": null
},
{
"model": "\u30c7\u30fc\u30bf \u30d5\u30a1\u30a4\u30eb \u30de\u30cd\u30fc\u30b8\u30e3\u30fc",
"scope": null,
"trust": 0.8,
"vendor": "idec\u682a\u5f0f\u4f1a\u793e",
"version": null
},
{
"model": "fc6b \u5f62 microsmart all-in-one cpu \u30e2\u30b8\u30e5\u30fc\u30eb",
"scope": null,
"trust": 0.8,
"vendor": "idec\u682a\u5f0f\u4f1a\u793e",
"version": null
},
{
"model": "plc",
"scope": null,
"trust": 0.6,
"vendor": "idec",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-02762"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006117"
},
{
"db": "NVD",
"id": "CVE-2021-37400"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:idec:data_file_manager:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.12.1",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:idec:windedit:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.3.1",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:idec:windldr:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "8.19.1",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:idec:microsmart_plus_fc6b_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.31",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:idec:microsmart_plus_fc6b:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:idec:microsmart_plus_fc6a_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.91",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:idec:microsmart_plus_fc6a:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:idec:microsmart_fc6b_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.31",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:idec:microsmart_fc6b:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:idec:microsmart_fc6a_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.32",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:idec:microsmart_fc6a:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:idec:ft1a_smartaxix_pro_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.31",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:idec:ft1a_smartaxix_pro:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:idec:ft1a_smartaxix_lite_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.31",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:idec:ft1a_smartaxix_lite:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-37400"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Khalid Ansari of FM Approvals reported these vulnerabilities to IDEC Corporation.",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202112-2604"
}
],
"trust": 0.6
},
"cve": "CVE-2021-37400",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2022-02762",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULMON",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2021-37400",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "HIGH",
"trust": 0.1,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Adjacent Network",
"author": "OTHER",
"availabilityImpact": "Low",
"baseScore": 7.6,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2021-006117",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2021-37400",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "OTHER",
"id": "JVNDB-2021-006117",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2022-02762",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202112-2604",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULMON",
"id": "CVE-2021-37400",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-02762"
},
{
"db": "VULMON",
"id": "CVE-2021-37400"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006117"
},
{
"db": "NVD",
"id": "CVE-2021-37400"
},
{
"db": "CNNVD",
"id": "CNNVD-202112-2604"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded. IDEC Provided by Co., Ltd. PLC The following multiple vulnerabilities exist in. * Sending unprotected credentials ( CWE-523 ) - CVE-2021-37400 \u2025 * Plaintext storage of authentication information ( CWE-256 ) - CVE-2021-374010 \u2025 * Sending unprotected credentials ( CWE-523 ) - CVE-2021-20826 \u2025 * Plaintext storage of authentication information ( CWE-256 ) - CVE-2021-20827 This vulnerability information is reported directly to the product developer by the following reporter, and is provided by the product developer. JPCERT/CC There is an adjustment request in JPCERT/CC Is a reporter, product developer, ICS-CERT We made adjustments with and announced it. Reporter : FM Approvals Khalid Ansari MrThe expected impact depends on each vulnerability, but it may be affected as follows. - CVE-2021-37400 \u2025 * File server, backup repository, SD Saved on a card etc. ZLD From the file, the user\u0027s credentials are obtained by a third party. as a result, PLC Web Deprived of full access to the server, PLC The output of PLC Is stopped - CVE-2021-20826 \u2025 * File server, backup repository, SD Saved on a card etc. ZLD From the file, by a third party PLC Web The server user\u0027s authentication information is acquired. as a result, PLC Web Connect to the server and PLC By being hijacked PLC The output of PLC Is stopped - CVE-2021-20827 \u2025 * Data file manager v2.13.0 And later. IDEC PLC is a programmable controller",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-37400"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006117"
},
{
"db": "CNVD",
"id": "CNVD-2022-02762"
},
{
"db": "VULMON",
"id": "CVE-2021-37400"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-37400",
"trust": 3.1
},
{
"db": "JVN",
"id": "JVNVU92279973",
"trust": 2.5
},
{
"db": "ICS CERT",
"id": "ICSA-22-006-03",
"trust": 1.4
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006117",
"trust": 1.4
},
{
"db": "CNVD",
"id": "CNVD-2022-02762",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022010709",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.0083",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202112-2604",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2021-37400",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-02762"
},
{
"db": "VULMON",
"id": "CVE-2021-37400"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006117"
},
{
"db": "NVD",
"id": "CVE-2021-37400"
},
{
"db": "CNNVD",
"id": "CNNVD-202112-2604"
}
]
},
"id": "VAR-202112-2027",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-02762"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-02762"
}
]
},
"last_update_date": "2023-12-18T12:26:30.436000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Our company \u00a0PLC\u00a0 Contact regarding the vulnerability of",
"trust": 0.8,
"url": "https://support.quest.com/ja-jp/kb/288310/cert-coordination-center-report-update"
},
{
"title": "Patch for Unknown Vulnerability in IDEC PLC",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/313181"
},
{
"title": "IDEC PLC Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=176483"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-02762"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006117"
},
{
"db": "CNNVD",
"id": "CNNVD-202112-2604"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-522",
"trust": 1.0
},
{
"problemtype": "Plaintext storage of credentials (CWE-256) [ Other ]",
"trust": 0.8
},
{
"problemtype": " Unprotected transfer of credentials (CWE-523) [ Other ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-006117"
},
{
"db": "NVD",
"id": "CVE-2021-37400"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "https://us.idec.com/idec-us/en/usd/software-downloads-automation-organizer"
},
{
"trust": 1.7,
"url": "https://www.idec.com/home/lp/pdf/2021-12-24-plc.pdf"
},
{
"trust": 1.7,
"url": "https://us.idec.com/idec-us/en/usd/programmable-logic-controller/micro-plc/fc6a-microsmart/c/microsmart_fc6a"
},
{
"trust": 1.7,
"url": "https://jvn.jp/en/vu/jvnvu92279973/"
},
{
"trust": 0.8,
"url": "http://jvn.jp/cert/jvnvu92279973/"
},
{
"trust": 0.8,
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-006-03"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-37400"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022010709"
},
{
"trust": 0.6,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-006-03"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.0083"
},
{
"trust": 0.6,
"url": "https://jvndb.jvn.jp/en/contents/2021/jvndb-2021-006117.html"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/522.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-02762"
},
{
"db": "VULMON",
"id": "CVE-2021-37400"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006117"
},
{
"db": "NVD",
"id": "CVE-2021-37400"
},
{
"db": "CNNVD",
"id": "CNNVD-202112-2604"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2022-02762"
},
{
"db": "VULMON",
"id": "CVE-2021-37400"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-006117"
},
{
"db": "NVD",
"id": "CVE-2021-37400"
},
{
"db": "CNNVD",
"id": "CNNVD-202112-2604"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-12T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-02762"
},
{
"date": "2021-12-28T00:00:00",
"db": "VULMON",
"id": "CVE-2021-37400"
},
{
"date": "2021-12-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-006117"
},
{
"date": "2021-12-28T13:15:08.207000",
"db": "NVD",
"id": "CVE-2021-37400"
},
{
"date": "2021-12-24T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202112-2604"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-18T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-02762"
},
{
"date": "2022-01-07T00:00:00",
"db": "VULMON",
"id": "CVE-2021-37400"
},
{
"date": "2022-01-11T07:34:00",
"db": "JVNDB",
"id": "JVNDB-2021-006117"
},
{
"date": "2022-01-07T20:40:19.347000",
"db": "NVD",
"id": "CVE-2021-37400"
},
{
"date": "2022-01-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202112-2604"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202112-2604"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "IDEC\u00a0 Made \u00a0PLC\u00a0 Multiple vulnerabilities in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-006117"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202112-2604"
}
],
"trust": 0.6
}
}
JVNDB-2021-006117
Vulnerability from jvndb - Published: 2021-12-27 16:54 - Updated:2022-01-11 16:36
Severity ?
Summary
Multiple vulnerabilities in IDEC PLCs
Details
Multiple PLCs provided by IDEC Corporation contain multiple vulnerabilities listed below.
* Unprotected transport of credentials (CWE-523) - CVE-2021-37400
* Plaintext storage of a password (CWE-256) - CVE-2021-37401
* Unprotected transport of credentials (CWE-523) - CVE-2021-20826
* Plaintext storage of a password (CWE-256) - CVE-2021-20827
Khalid Ansari of FM Approvals reported these vulnerabilities to IDEC Corporation, and IDEC Corporation reported
the case to JPCERT/CC and coordinated in order to notify users of the solutions through JVN.
References
| Type | URL | |
|---|---|---|
|
|
||
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-006117.html",
"dc:date": "2022-01-11T16:36+09:00",
"dcterms:issued": "2021-12-27T16:54+09:00",
"dcterms:modified": "2022-01-11T16:36+09:00",
"description": "Multiple PLCs provided by IDEC Corporation contain multiple vulnerabilities listed below.\r\n\r\n* Unprotected transport of credentials (CWE-523) - CVE-2021-37400\r\n* Plaintext storage of a password (CWE-256) - CVE-2021-37401\r\n* Unprotected transport of credentials (CWE-523) - CVE-2021-20826\r\n* Plaintext storage of a password (CWE-256) - CVE-2021-20827\r\n\r\nKhalid Ansari of FM Approvals reported these vulnerabilities to IDEC Corporation, and IDEC Corporation reported\r\nthe case to JPCERT/CC and coordinated in order to notify users of the solutions through JVN.",
"link": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-006117.html",
"sec:cpe": [
{
"#text": "cpe:/a:idec:data_file_manager",
"@product": "Data File Manager",
"@vendor": "IDEC Corporation",
"@version": "2.2"
},
{
"#text": "cpe:/a:idec:windedit",
"@product": "WindEDIT Lite",
"@vendor": "IDEC Corporation",
"@version": "2.2"
},
{
"#text": "cpe:/a:idec:windldr",
"@product": "WindLDR",
"@vendor": "IDEC Corporation",
"@version": "2.2"
},
{
"#text": "cpe:/o:idec:ft1a_smartaxix_pro_firmware",
"@product": "FT1A Controller SmartAXIS Pro/Lite",
"@vendor": "IDEC Corporation",
"@version": "2.2"
},
{
"#text": "cpe:/o:idec:microsmart_fc6a_firmware",
"@product": "FC6A MICROSmart All-in-One CPU Module",
"@vendor": "IDEC Corporation",
"@version": "2.2"
},
{
"#text": "cpe:/o:idec:microsmart_fc6b_firmware",
"@product": "FC6B MICROSmart All-in-One CPU Module",
"@vendor": "IDEC Corporation",
"@version": "2.2"
},
{
"#text": "cpe:/o:idec:microsmart_plus_fc6a_firmware",
"@product": "FC6A MICROSmart Plus CPU Module",
"@vendor": "IDEC Corporation",
"@version": "2.2"
},
{
"#text": "cpe:/o:idec:microsmart_plus_fc6b_firmware",
"@product": "FC6B MICROSmart Plus CPU Module",
"@vendor": "IDEC Corporation",
"@version": "2.2"
}
],
"sec:cvss": [
{
"@score": "7.5",
"@severity": "High",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
{
"@score": "7.6",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2021-006117",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU92279973/index.html",
"@id": "JVNVU#92279973",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37400",
"@id": "CVE-2021-37400",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37401",
"@id": "CVE-2021-37401",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20826",
"@id": "CVE-2021-20826",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20827",
"@id": "CVE-2021-20827",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20826",
"@id": "CVE-2021-20826",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20827",
"@id": "CVE-2021-20827",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-37400",
"@id": "CVE-2021-37400",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-37401",
"@id": "CVE-2021-37401",
"@source": "NVD"
},
{
"#text": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-006-03",
"@id": "ICSA-22-006-03",
"@source": "ICS-CERT ADVISORY"
},
{
"#text": "https://cwe.mitre.org/data/definitions/256.html",
"@id": "CWE-256",
"@title": "Unprotected Storage of Credentials(CWE-256)"
},
{
"#text": "https://cwe.mitre.org/data/definitions/523.html",
"@id": "CWE-523",
"@title": "Unprotected Transport of Credentials(CWE-523)"
}
],
"title": "Multiple vulnerabilities in IDEC PLCs"
}