Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2021-22767 (GCVE-0-2021-22767)
Vulnerability from cvelistv5 – Published: 2021-06-11 15:40 – Updated: 2024-08-03 18:51 Unsupported When Assigned
VLAI?
EPSS
Summary
A CWE-20: Improper Input Validation vulnerability exists in PowerLogic EGX100 (Versions 3.0.0 and newer) and PowerLogic EGX300 (All Versions) that could cause denial of service or remote code execution via a specially crafted HTTP packet.This CVE ID is unique from CVE-2021-2276
Severity ?
No CVSS data available.
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | PowerLogic EGX100 (Versions 3.0.0 and newer) and PowerLogic EGX300 (All Versions) |
Affected:
PowerLogic EGX100 (Versions 3.0.0 and newer) and PowerLogic EGX300 (All Versions)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:51:07.595Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PowerLogic EGX100 (Versions 3.0.0 and newer) and PowerLogic EGX300 (All Versions)",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "PowerLogic EGX100 (Versions 3.0.0 and newer) and PowerLogic EGX300 (All Versions)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A CWE-20: Improper Input Validation vulnerability exists in PowerLogic EGX100 (Versions 3.0.0 and newer) and PowerLogic EGX300 (All Versions) that could cause denial of service or remote code execution via a specially crafted HTTP packet.This CVE ID is unique from CVE-2021-2276"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-11T15:40:47.000Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03"
}
],
"tags": [
"unsupported-when-assigned"
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@schneider-electric.com",
"ID": "CVE-2021-22767",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PowerLogic EGX100 (Versions 3.0.0 and newer) and PowerLogic EGX300 (All Versions)",
"version": {
"version_data": [
{
"version_value": "PowerLogic EGX100 (Versions 3.0.0 and newer) and PowerLogic EGX300 (All Versions)"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** UNSUPPORTED WHEN ASSIGNED ** A CWE-20: Improper Input Validation vulnerability exists in PowerLogic EGX100 (Versions 3.0.0 and newer) and PowerLogic EGX300 (All Versions) that could cause denial of service or remote code execution via a specially crafted HTTP packet.This CVE ID is unique from CVE-2021-22768"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20: Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03",
"refsource": "MISC",
"url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2021-22767",
"datePublished": "2021-06-11T15:40:47.000Z",
"dateReserved": "2021-01-06T00:00:00.000Z",
"dateUpdated": "2024-08-03T18:51:07.595Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:schneider-electric:powerlogic_egx100_firmware:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"3.0.0\", \"matchCriteriaId\": \"29A55C4C-0D14-4C55-ABBC-83280E221DE3\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:schneider-electric:powerlogic_egx100:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FE28A3BC-AD07-48F1-9DB9-65616A9399B5\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:schneider-electric:powerlogic_egx300_firmware:*:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9CB9B239-F219-4DF4-B53B-4DCE38F3205F\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:schneider-electric:powerlogic_egx300:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"59A033CD-1DBC-44A4-9C56-1F97C3F40C6F\"}]}]}]",
"cveTags": "[{\"sourceIdentifier\": \"cybersecurity@se.com\", \"tags\": [\"unsupported-when-assigned\"]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"A CWE-20: Improper Input Validation vulnerability exists in PowerLogic EGX100 (Versions 3.0.0 and newer) and PowerLogic EGX300 (All Versions) that could cause denial of service or remote code execution via a specially crafted HTTP packet.This CVE ID is unique from CVE-2021-2276\"}, {\"lang\": \"es\", \"value\": \"** NO COMPATIBLE CUANDO SE ASIGN\\u00d3 ** UN CWE-20: Se presenta una vulnerabilidad de comprobaci\\u00f3n inapropiada de la entrada en PowerLogic EGX100 (versiones 3.0.0 y posteriores) y PowerLogic EGX300 (todas las versiones) que podr\\u00eda causar una denegaci\\u00f3n de servicio o una ejecuci\\u00f3n de c\\u00f3digo remota por medio de un paquete HTTP especialmente dise\\u00f1ado. Este ID de CVE es diferente de CVE-2021-22768\"}]",
"id": "CVE-2021-22767",
"lastModified": "2024-11-21T05:50:37.657",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2021-06-11T16:15:10.593",
"references": "[{\"url\": \"http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03\", \"source\": \"cybersecurity@se.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "cybersecurity@se.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"cybersecurity@se.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-22767\",\"sourceIdentifier\":\"cybersecurity@se.com\",\"published\":\"2021-06-11T16:15:10.593\",\"lastModified\":\"2024-11-21T05:50:37.657\",\"vulnStatus\":\"Modified\",\"cveTags\":[{\"sourceIdentifier\":\"cybersecurity@se.com\",\"tags\":[\"unsupported-when-assigned\"]}],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A CWE-20: Improper Input Validation vulnerability exists in PowerLogic EGX100 (Versions 3.0.0 and newer) and PowerLogic EGX300 (All Versions) that could cause denial of service or remote code execution via a specially crafted HTTP packet.This CVE ID is unique from CVE-2021-2276\"},{\"lang\":\"es\",\"value\":\"** NO COMPATIBLE CUANDO SE ASIGN\u00d3 ** UN CWE-20: Se presenta una vulnerabilidad de comprobaci\u00f3n inapropiada de la entrada en PowerLogic EGX100 (versiones 3.0.0 y posteriores) y PowerLogic EGX300 (todas las versiones) que podr\u00eda causar una denegaci\u00f3n de servicio o una ejecuci\u00f3n de c\u00f3digo remota por medio de un paquete HTTP especialmente dise\u00f1ado. Este ID de CVE es diferente de CVE-2021-22768\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cybersecurity@se.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:schneider-electric:powerlogic_egx100_firmware:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"matchCriteriaId\":\"29A55C4C-0D14-4C55-ABBC-83280E221DE3\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:schneider-electric:powerlogic_egx100:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FE28A3BC-AD07-48F1-9DB9-65616A9399B5\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:schneider-electric:powerlogic_egx300_firmware:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9CB9B239-F219-4DF4-B53B-4DCE38F3205F\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:schneider-electric:powerlogic_egx300:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"59A033CD-1DBC-44A4-9C56-1F97C3F40C6F\"}]}]}],\"references\":[{\"url\":\"http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03\",\"source\":\"cybersecurity@se.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
GHSA-88CQ-9HM3-V7FF
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2024-03-21 03:34
VLAI?
Details
** UNSUPPORTED WHEN ASSIGNED ** A CWE-20: Improper Input Validation vulnerability exists in PowerLogic EGX100 (Versions 3.0.0 and newer) and PowerLogic EGX300 (All Versions) that could cause denial of service or remote code execution via a specially crafted HTTP packet.This CVE ID is unique from CVE-2021-22768
Severity ?
9.8 (Critical)
{
"affected": [],
"aliases": [
"CVE-2021-22767"
],
"database_specific": {
"cwe_ids": [
"CWE-20"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-11T16:15:00Z",
"severity": "CRITICAL"
},
"details": "** UNSUPPORTED WHEN ASSIGNED ** A CWE-20: Improper Input Validation vulnerability exists in PowerLogic EGX100 (Versions 3.0.0 and newer) and PowerLogic EGX300 (All Versions) that could cause denial of service or remote code execution via a specially crafted HTTP packet.This CVE ID is unique from CVE-2021-22768",
"id": "GHSA-88cq-9hm3-v7ff",
"modified": "2024-03-21T03:34:04Z",
"published": "2022-05-24T19:05:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22767"
},
{
"type": "WEB",
"url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
SEVD-2021-159-03
Vulnerability from csaf_se - Published: 2021-06-08 00:00 - Updated: 2021-06-08 00:00Summary
PowerLogic EGX100 and PowerLogicEGX300
Notes
General Security Recommendations: We strongly recommend the following industry cybersecurity best practices.
https://www.se.com/us/en/download/document/7EN52-0390/
* Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
* Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
* Place all controllers in locked cabinets and never leave them in the “Program” mode.
* Never connect programming software to any network other than the network intended for that device.
* Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
* Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
* Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
* When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.
For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.
For More Information: This document provides an overview of the identified vulnerability or vulnerabilities and actions required to mitigate. For more details and assistance on how to protect your installation, contact your local Schneider Electric representative or Schneider Electric Industrial Cybersecurity Services: https://www.se.com/ww/en/work/solutions/cybersecurity/. These organizations will be fully aware of this situation and can support you through the process.
For further information related to cybersecurity in Schneider Electric’s products, visit the company’s cybersecurity support portal page: https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp
LEGAL DISCLAIMER: THIS NOTIFICATION DOCUMENT, THE INFORMATION CONTAINED HEREIN, AND ANY MATERIALS LINKED FROM IT (COLLECTIVELY, THIS “NOTIFICATION”) ARE INTENDED TO HELP PROVIDE AN OVERVIEW OF THE IDENTIFIED SITUATION AND SUGGESTED MITIGATION ACTIONS, REMEDIATION, FIX, AND/OR GENERAL SECURITY RECOMMENDATIONS AND IS PROVIDED ON AN “AS-IS” BASIS WITHOUT WARRANTY OR GUARANTEE OF ANY KIND. SCHNEIDER ELECTRIC DISCLAIMS ALL WARRANTIES RELATING TO THIS NOTIFICATION, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SCHNEIDER ELECTRIC MAKES NO WARRANTY THAT THE NOTIFICATION WILL RESOLVE THE IDENTIFIED SITUATION. IN NO EVENT SHALL SCHNEIDER ELECTRIC BE LIABLE FOR ANY DAMAGES OR LOSSES WHATSOEVER IN CONNECTION WITH THIS NOTIFICATION, INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF SCHNEIDER ELECTRIC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. YOUR USE OF THIS NOTIFICATION IS AT YOUR OWN RISK, AND YOU ARE SOLELY LIABLE FOR ANY DAMAGES TO YOUR SYSTEMS OR ASSETS OR OTHER LOSSES THAT MAY RESULT FROM YOUR USE OF THIS NOTIFICATION. SCHNEIDER ELECTRIC RESERVES THE RIGHT TO UPDATE OR CHANGE THIS NOTIFICATION AT ANY TIME AND IN ITS SOLE DISCRETION
About Schneider Electric: At Schneider, we believe access to energy and digital is a basic human right. We empower all to do more with less, ensuring Life Is On everywhere, for everyone, at every moment.
We provide energy and automation digital solutions for efficiency and sustainability. We combine world-leading energy technologies, real-time automation, software and services into integrated solutions for Homes, Buildings, Data Centers, Infrastructure and Industries.
We are committed to unleash the infinite possibilities of an open, global, innovative community that is passionate with our Meaningful Purpose, Inclusive and Empowered values.
www.se.com
Overview: Schneider Electric is aware of multiple vulnerabilities in its PowerLogic EGX100 and EGX300
products.
The PowerLogic EGX100 and EGX300 are communication gateway devices.
Failure to apply the mitigations provided below may risk denial of service or remote code
execution, which could result in loss of device functionality.
CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists that could allow an attacker administrator level access to a device.
8.1 (High)
Mitigation
PowerLogic EGX100 and EGX300 Products have reached end of service and are no longer
supported. Customers should consider blocking HTTP access to the device at the firewall level
once commissioning is complete to reduce the risk of exposure. Additionally, Customers should
ensure the General security Recommendations listed below are in place.
Customers should also consider replacing the device with a supported product to resolve this
issue. Please contact your local Schneider Electric sales representative for upgrade options.
CWE-287: Improper Authentication vulnerability exists that could cause loss of connectivity to the device via Modbus TCP protocol when an attacker sends a specially crafted HTTP request.
5.3 (Medium)
Mitigation
PowerLogic EGX100 and EGX300 Products have reached end of service and are no longer
supported. Customers should consider blocking HTTP access to the device at the firewall level
once commissioning is complete to reduce the risk of exposure. Additionally, Customers should
ensure the General security Recommendations listed below are in place.
Customers should also consider replacing the device with a supported product to resolve this
issue. Please contact your local Schneider Electric sales representative for upgrade options.
CWE-20: Improper Input Validation vulnerability exists that could cause denial of service or remote code execution via a specially crafted HTTP packet.
9.8 (Critical)
Mitigation
PowerLogic EGX100 and EGX300 Products have reached end of service and are no longer
supported. Customers should consider blocking HTTP access to the device at the firewall level
once commissioning is complete to reduce the risk of exposure. Additionally, Customers should
ensure the General security Recommendations listed below are in place.
Customers should also consider replacing the device with a supported product to resolve this
issue. Please contact your local Schneider Electric sales representative for upgrade options.
CWE-20: Improper Input Validation vulnerability exists that could cause denial of service via a specially crafted HTTP packet.
7.5 (High)
Mitigation
PowerLogic EGX100 and EGX300 Products have reached end of service and are no longer
supported. Customers should consider blocking HTTP access to the device at the firewall level
once commissioning is complete to reduce the risk of exposure. Additionally, Customers should
ensure the General security Recommendations listed below are in place.
Customers should also consider replacing the device with a supported product to resolve this
issue. Please contact your local Schneider Electric sales representative for upgrade options.
CWE-20: Improper Input Validation vulnerability exists that could cause denial of service or remote code execution via a specially crafted HTTP packet.
9.8 (Critical)
Mitigation
PowerLogic EGX100 and EGX300 Products have reached end of service and are no longer
supported. Customers should consider blocking HTTP access to the device at the firewall level
once commissioning is complete to reduce the risk of exposure. Additionally, Customers should
ensure the General security Recommendations listed below are in place.
Customers should also consider replacing the device with a supported product to resolve this
issue. Please contact your local Schneider Electric sales representative for upgrade options.
CWE-20: Improper Input Validation vulnerability exists that could cause denial of service or remote code execution via a specially crafted HTTP packet.
9.8 (Critical)
Mitigation
PowerLogic EGX100 and EGX300 Products have reached end of service and are no longer
supported. Customers should consider blocking HTTP access to the device at the firewall level
once commissioning is complete to reduce the risk of exposure. Additionally, Customers should
ensure the General security Recommendations listed below are in place.
Customers should also consider replacing the device with a supported product to resolve this
issue. Please contact your local Schneider Electric sales representative for upgrade options.
References
Acknowledgments
Dragos
Jacob Baines
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "We strongly recommend the following industry cybersecurity best practices.\n\nhttps://www.se.com/us/en/download/document/7EN52-0390/\n* Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.\n* Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.\n* Place all controllers in locked cabinets and never leave them in the \u201cProgram\u201d mode.\n* Never connect programming software to any network other than the network intended for that device.\n* Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.\n* Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.\n* Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.\n* When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.\nFor more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document. \n",
"title": "General Security Recommendations"
},
{
"category": "general",
"text": "This document provides an overview of the identified vulnerability or vulnerabilities and actions required to mitigate. For more details and assistance on how to protect your installation, contact your local Schneider Electric representative or Schneider Electric Industrial Cybersecurity Services: https://www.se.com/ww/en/work/solutions/cybersecurity/. These organizations will be fully aware of this situation and can support you through the process.\nFor further information related to cybersecurity in Schneider Electric\u2019s products, visit the company\u2019s cybersecurity support portal page: https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp",
"title": "For More Information"
},
{
"category": "legal_disclaimer",
"text": "THIS NOTIFICATION DOCUMENT, THE INFORMATION CONTAINED HEREIN, AND ANY MATERIALS LINKED FROM IT (COLLECTIVELY, THIS \u201cNOTIFICATION\u201d) ARE INTENDED TO HELP PROVIDE AN OVERVIEW OF THE IDENTIFIED SITUATION AND SUGGESTED MITIGATION ACTIONS, REMEDIATION, FIX, AND/OR GENERAL SECURITY RECOMMENDATIONS AND IS PROVIDED ON AN \u201cAS-IS\u201d BASIS WITHOUT WARRANTY OR GUARANTEE OF ANY KIND. SCHNEIDER ELECTRIC DISCLAIMS ALL WARRANTIES RELATING TO THIS NOTIFICATION, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SCHNEIDER ELECTRIC MAKES NO WARRANTY THAT THE NOTIFICATION WILL RESOLVE THE IDENTIFIED SITUATION. IN NO EVENT SHALL SCHNEIDER ELECTRIC BE LIABLE FOR ANY DAMAGES OR LOSSES WHATSOEVER IN CONNECTION WITH THIS NOTIFICATION, INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF SCHNEIDER ELECTRIC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. YOUR USE OF THIS NOTIFICATION IS AT YOUR OWN RISK, AND YOU ARE SOLELY LIABLE FOR ANY DAMAGES TO YOUR SYSTEMS OR ASSETS OR OTHER LOSSES THAT MAY RESULT FROM YOUR USE OF THIS NOTIFICATION. SCHNEIDER ELECTRIC RESERVES THE RIGHT TO UPDATE OR CHANGE THIS NOTIFICATION AT ANY TIME AND IN ITS SOLE DISCRETION",
"title": "LEGAL DISCLAIMER"
},
{
"category": "general",
"text": "At Schneider, we believe access to energy and digital is a basic human right. We empower all to do more with less, ensuring Life Is On everywhere, for everyone, at every moment.\n\nWe provide energy and automation digital solutions for efficiency and sustainability. We combine world-leading energy technologies, real-time automation, software and services into integrated solutions for Homes, Buildings, Data Centers, Infrastructure and Industries.\n\nWe are committed to unleash the infinite possibilities of an open, global, innovative community that is passionate with our Meaningful Purpose, Inclusive and Empowered values.\n\nwww.se.com ",
"title": "About Schneider Electric"
},
{
"category": "summary",
"text": "Schneider Electric is aware of multiple vulnerabilities in its PowerLogic EGX100 and EGX300\r\nproducts. \r\nThe PowerLogic EGX100 and EGX300 are communication gateway devices. \r\nFailure to apply the mitigations provided below may risk denial of service or remote code \r\nexecution, which could result in loss of device functionality.\r",
"title": "Overview"
}
],
"publisher": {
"category": "vendor",
"contact_details": "cpcert@se.com",
"name": "Schneider Electric CPCERT",
"namespace": "https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp"
},
"references": [
{
"category": "self",
"summary": "PowerLogic EGX100 and PowerLogicEGX300 - SEVD-2021-159-03 PDF Version",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2021-159-03_PowerLogic_EGX100_and_EGX300_Security_Notification.pdf"
},
{
"category": "self",
"summary": "PowerLogic EGX100 and PowerLogicEGX300 - SEVD-2021-159-03 CSAF Version",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=sevd-2021-159-03.json"
},
{
"category": "external",
"summary": "Recommended Cybersecurity Best Practices",
"url": "https://www.se.com/us/en/download/document/7EN52-0390/"
}
],
"title": "PowerLogic EGX100 and PowerLogicEGX300",
"tracking": {
"current_release_date": "2021-06-08T00:00:00.000Z",
"generator": {
"date": "2021-06-08T00:00:00Z",
"engine": {
"name": "Schneider Electric CSAF Generator",
"version": "1.2"
}
},
"id": "SEVD-2021-159-03",
"initial_release_date": "2021-06-08T00:00:00.000Z",
"revision_history": [
{
"date": "2021-06-08T00:00:00.000Z",
"number": "1.0.0",
"summary": "Original Release"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Schneider Electric EGX100 All Versions",
"product_id": "1"
}
}
],
"category": "product_name",
"name": "EGX100"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=3.0.0",
"product": {
"name": "Schneider Electric EGX100 Versions 3.0.0 and newer",
"product_id": "2"
}
}
],
"category": "product_name",
"name": "EGX100"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Schneider Electric EGX300 All Versions",
"product_id": "3"
}
}
],
"category": "product_name",
"name": "EGX300"
}
],
"category": "vendor",
"name": "Schneider Electric"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Jacob Baines"
],
"organization": "Dragos"
}
],
"cve": "CVE-2021-22763",
"cwe": {
"id": "CWE-640",
"name": "Weak Password Recovery Mechanism for Forgotten Password"
},
"notes": [
{
"category": "description",
"text": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability \r\nexists that could allow an attacker administrator level access to a device.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"3"
]
},
"remediations": [
{
"category": "mitigation",
"details": "PowerLogic EGX100 and EGX300 Products have reached end of service and are no longer \r\nsupported. Customers should consider blocking HTTP access to the device at the firewall level \r\nonce commissioning is complete to reduce the risk of exposure. Additionally, Customers should \r\nensure the General security Recommendations listed below are in place.\r\nCustomers should also consider replacing the device with a supported product to resolve this \r\nissue. Please contact your local Schneider Electric sales representative for upgrade options.",
"product_ids": [
"1",
"3"
],
"restart_required": {
"category": "none"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"3"
]
}
],
"title": "CVE-2021-22763"
},
{
"acknowledgments": [
{
"names": [
"Jacob Baines"
],
"organization": "Dragos"
}
],
"cve": "CVE-2021-22764",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"notes": [
{
"category": "description",
"text": "CWE-287: Improper Authentication vulnerability exists that could cause loss of connectivity to \r\nthe device via Modbus TCP protocol when an attacker sends a specially crafted HTTP request.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"2",
"3"
]
},
"remediations": [
{
"category": "mitigation",
"details": "PowerLogic EGX100 and EGX300 Products have reached end of service and are no longer \r\nsupported. Customers should consider blocking HTTP access to the device at the firewall level \r\nonce commissioning is complete to reduce the risk of exposure. Additionally, Customers should \r\nensure the General security Recommendations listed below are in place.\r\nCustomers should also consider replacing the device with a supported product to resolve this \r\nissue. Please contact your local Schneider Electric sales representative for upgrade options.",
"product_ids": [
"2",
"3"
],
"restart_required": {
"category": "none"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"2",
"3"
]
}
],
"title": "CVE-2021-22764"
},
{
"acknowledgments": [
{
"names": [
"Jacob Baines"
],
"organization": "Dragos"
}
],
"cve": "CVE-2021-22765",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "CWE-20: Improper Input Validation vulnerability exists that could cause denial of service or \r\nremote code execution via a specially crafted HTTP packet.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"2",
"3"
]
},
"remediations": [
{
"category": "mitigation",
"details": "PowerLogic EGX100 and EGX300 Products have reached end of service and are no longer \r\nsupported. Customers should consider blocking HTTP access to the device at the firewall level \r\nonce commissioning is complete to reduce the risk of exposure. Additionally, Customers should \r\nensure the General security Recommendations listed below are in place.\r\nCustomers should also consider replacing the device with a supported product to resolve this \r\nissue. Please contact your local Schneider Electric sales representative for upgrade options.",
"product_ids": [
"2",
"3"
],
"restart_required": {
"category": "none"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"2",
"3"
]
}
],
"title": "CVE-2021-22765"
},
{
"acknowledgments": [
{
"names": [
"Jacob Baines"
],
"organization": "Dragos"
}
],
"cve": "CVE-2021-22766",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "CWE-20: Improper Input Validation vulnerability exists that could cause denial of service via a \r\nspecially crafted HTTP packet.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"2",
"3"
]
},
"remediations": [
{
"category": "mitigation",
"details": "PowerLogic EGX100 and EGX300 Products have reached end of service and are no longer \r\nsupported. Customers should consider blocking HTTP access to the device at the firewall level \r\nonce commissioning is complete to reduce the risk of exposure. Additionally, Customers should \r\nensure the General security Recommendations listed below are in place.\r\nCustomers should also consider replacing the device with a supported product to resolve this \r\nissue. Please contact your local Schneider Electric sales representative for upgrade options.",
"product_ids": [
"2",
"3"
],
"restart_required": {
"category": "none"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"2",
"3"
]
}
],
"title": "CVE-2021-22766"
},
{
"acknowledgments": [
{
"names": [
"Jacob Baines"
],
"organization": "Dragos"
}
],
"cve": "CVE-2021-22767",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "CWE-20: Improper Input Validation vulnerability exists that could cause denial of service or \r\nremote code execution via a specially crafted HTTP packet.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"2",
"3"
]
},
"remediations": [
{
"category": "mitigation",
"details": "PowerLogic EGX100 and EGX300 Products have reached end of service and are no longer \r\nsupported. Customers should consider blocking HTTP access to the device at the firewall level \r\nonce commissioning is complete to reduce the risk of exposure. Additionally, Customers should \r\nensure the General security Recommendations listed below are in place.\r\nCustomers should also consider replacing the device with a supported product to resolve this \r\nissue. Please contact your local Schneider Electric sales representative for upgrade options.",
"product_ids": [
"2",
"3"
],
"restart_required": {
"category": "none"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"2",
"3"
]
}
],
"title": "CVE-2021-22767"
},
{
"acknowledgments": [
{
"names": [
"Jacob Baines"
],
"organization": "Dragos"
}
],
"cve": "CVE-2021-22768",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "CWE-20: Improper Input Validation vulnerability exists that could cause denial of service or \r\nremote code execution via a specially crafted HTTP packet. ",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"2",
"3"
]
},
"remediations": [
{
"category": "mitigation",
"details": "PowerLogic EGX100 and EGX300 Products have reached end of service and are no longer \r\nsupported. Customers should consider blocking HTTP access to the device at the firewall level \r\nonce commissioning is complete to reduce the risk of exposure. Additionally, Customers should \r\nensure the General security Recommendations listed below are in place.\r\nCustomers should also consider replacing the device with a supported product to resolve this \r\nissue. Please contact your local Schneider Electric sales representative for upgrade options.",
"product_ids": [
"2",
"3"
],
"restart_required": {
"category": "none"
}
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"2",
"3"
]
}
],
"title": "CVE-2021-22768"
}
]
}
CNVD-2021-46281
Vulnerability from cnvd - Published: 2021-07-01
VLAI Severity ?
Title
Schneider Electric PowerLogic输入验证错误漏洞(CNVD-2021-46281)
Description
Schneider Electric PowerLogic是法国施耐德电气(Schneider Electric)公司的一个工控设备。提供提高功率因数来提高电源质量,排除电源故障,从而保护网络、装置和操作员。
Schneider Electric PowerLogic EGX100和EGX100存在输入验证错误漏洞,攻击者可利用该漏洞导致拒绝服务或通过特殊制作的HTTP包远程代码执行。
Severity
高
Patch Name
Schneider Electric PowerLogic输入验证错误漏洞(CNVD-2021-46281)的补丁
Patch Description
Schneider Electric PowerLogic是法国施耐德电气(Schneider Electric)公司的一个工控设备。提供提高功率因数来提高电源质量,排除电源故障,从而保护网络、装置和操作员。
Schneider Electric PowerLogic EGX100和EGX100存在输入验证错误漏洞,攻击者可利用该漏洞导致拒绝服务或通过特殊制作的HTTP包远程代码执行。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
目前厂商已发布升级补丁以修复漏洞,补丁获取链接: http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03
Reference
http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03
Impacted products
| Name | ['Schneider Electric PowerLogic EGX100 >=3.0.0', 'Schneider Electric PowerLogic EGX300 null'] |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2021-22767",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-22767"
}
},
"description": "Schneider Electric PowerLogic\u662f\u6cd5\u56fd\u65bd\u8010\u5fb7\u7535\u6c14\uff08Schneider Electric\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u5de5\u63a7\u8bbe\u5907\u3002\u63d0\u4f9b\u63d0\u9ad8\u529f\u7387\u56e0\u6570\u6765\u63d0\u9ad8\u7535\u6e90\u8d28\u91cf\uff0c\u6392\u9664\u7535\u6e90\u6545\u969c\uff0c\u4ece\u800c\u4fdd\u62a4\u7f51\u7edc\u3001\u88c5\u7f6e\u548c\u64cd\u4f5c\u5458\u3002\n\nSchneider Electric PowerLogic EGX100\u548cEGX100\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u6216\u901a\u8fc7\u7279\u6b8a\u5236\u4f5c\u7684HTTP\u5305\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002",
"formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttp://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2021-46281",
"openTime": "2021-07-01",
"patchDescription": "Schneider Electric PowerLogic\u662f\u6cd5\u56fd\u65bd\u8010\u5fb7\u7535\u6c14\uff08Schneider Electric\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u5de5\u63a7\u8bbe\u5907\u3002\u63d0\u4f9b\u63d0\u9ad8\u529f\u7387\u56e0\u6570\u6765\u63d0\u9ad8\u7535\u6e90\u8d28\u91cf\uff0c\u6392\u9664\u7535\u6e90\u6545\u969c\uff0c\u4ece\u800c\u4fdd\u62a4\u7f51\u7edc\u3001\u88c5\u7f6e\u548c\u64cd\u4f5c\u5458\u3002\r\n\r\nSchneider Electric PowerLogic EGX100\u548cEGX100\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u6216\u901a\u8fc7\u7279\u6b8a\u5236\u4f5c\u7684HTTP\u5305\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Schneider Electric PowerLogic\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff08CNVD-2021-46281\uff09\u7684\u8865\u4e01",
"products": {
"product": [
"Schneider Electric PowerLogic EGX100 \u003e=3.0.0",
"Schneider Electric PowerLogic EGX300 null"
]
},
"referenceLink": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03",
"serverity": "\u9ad8",
"submitTime": "2021-06-17",
"title": "Schneider Electric PowerLogic\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff08CNVD-2021-46281\uff09"
}
FKIE_CVE-2021-22767
Vulnerability from fkie_nvd - Published: 2021-06-11 16:15 - Updated: 2024-11-21 05:50
Severity ?
Summary
A CWE-20: Improper Input Validation vulnerability exists in PowerLogic EGX100 (Versions 3.0.0 and newer) and PowerLogic EGX300 (All Versions) that could cause denial of service or remote code execution via a specially crafted HTTP packet.This CVE ID is unique from CVE-2021-2276
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:schneider-electric:powerlogic_egx100_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "29A55C4C-0D14-4C55-ABBC-83280E221DE3",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:schneider-electric:powerlogic_egx100:-:*:*:*:*:*:*:*",
"matchCriteriaId": "FE28A3BC-AD07-48F1-9DB9-65616A9399B5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:schneider-electric:powerlogic_egx300_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9CB9B239-F219-4DF4-B53B-4DCE38F3205F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:schneider-electric:powerlogic_egx300:-:*:*:*:*:*:*:*",
"matchCriteriaId": "59A033CD-1DBC-44A4-9C56-1F97C3F40C6F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [
{
"sourceIdentifier": "cybersecurity@se.com",
"tags": [
"unsupported-when-assigned"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A CWE-20: Improper Input Validation vulnerability exists in PowerLogic EGX100 (Versions 3.0.0 and newer) and PowerLogic EGX300 (All Versions) that could cause denial of service or remote code execution via a specially crafted HTTP packet.This CVE ID is unique from CVE-2021-2276"
},
{
"lang": "es",
"value": "** NO COMPATIBLE CUANDO SE ASIGN\u00d3 ** UN CWE-20: Se presenta una vulnerabilidad de comprobaci\u00f3n inapropiada de la entrada en PowerLogic EGX100 (versiones 3.0.0 y posteriores) y PowerLogic EGX300 (todas las versiones) que podr\u00eda causar una denegaci\u00f3n de servicio o una ejecuci\u00f3n de c\u00f3digo remota por medio de un paquete HTTP especialmente dise\u00f1ado. Este ID de CVE es diferente de CVE-2021-22768"
}
],
"id": "CVE-2021-22767",
"lastModified": "2024-11-21T05:50:37.657",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-11T16:15:10.593",
"references": [
{
"source": "cybersecurity@se.com",
"tags": [
"Vendor Advisory"
],
"url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03"
}
],
"sourceIdentifier": "cybersecurity@se.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "cybersecurity@se.com",
"type": "Secondary"
}
]
}
GSD-2021-22767
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
** UNSUPPORTED WHEN ASSIGNED ** A CWE-20: Improper Input Validation vulnerability exists in PowerLogic EGX100 (Versions 3.0.0 and newer) and PowerLogic EGX300 (All Versions) that could cause denial of service or remote code execution via a specially crafted HTTP packet.This CVE ID is unique from CVE-2021-22768
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-22767",
"description": "** UNSUPPORTED WHEN ASSIGNED ** A CWE-20: Improper Input Validation vulnerability exists in PowerLogic EGX100 (Versions 3.0.0 and newer) and PowerLogic EGX300 (All Versions) that could cause denial of service or remote code execution via a specially crafted HTTP packet.This CVE ID is unique from CVE-2021-22768",
"id": "GSD-2021-22767"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-22767"
],
"details": "** UNSUPPORTED WHEN ASSIGNED ** A CWE-20: Improper Input Validation vulnerability exists in PowerLogic EGX100 (Versions 3.0.0 and newer) and PowerLogic EGX300 (All Versions) that could cause denial of service or remote code execution via a specially crafted HTTP packet.This CVE ID is unique from CVE-2021-22768",
"id": "GSD-2021-22767",
"modified": "2023-12-13T01:23:24.176422Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@schneider-electric.com",
"ID": "CVE-2021-22767",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PowerLogic EGX100 (Versions 3.0.0 and newer) and PowerLogic EGX300 (All Versions)",
"version": {
"version_data": [
{
"version_value": "PowerLogic EGX100 (Versions 3.0.0 and newer) and PowerLogic EGX300 (All Versions)"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** UNSUPPORTED WHEN ASSIGNED ** A CWE-20: Improper Input Validation vulnerability exists in PowerLogic EGX100 (Versions 3.0.0 and newer) and PowerLogic EGX300 (All Versions) that could cause denial of service or remote code execution via a specially crafted HTTP packet.This CVE ID is unique from CVE-2021-22768"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20: Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03",
"refsource": "MISC",
"url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03"
}
]
}
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:schneider-electric:powerlogic_egx100_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "29A55C4C-0D14-4C55-ABBC-83280E221DE3",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:schneider-electric:powerlogic_egx100:-:*:*:*:*:*:*:*",
"matchCriteriaId": "FE28A3BC-AD07-48F1-9DB9-65616A9399B5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:schneider-electric:powerlogic_egx300_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9CB9B239-F219-4DF4-B53B-4DCE38F3205F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:schneider-electric:powerlogic_egx300:-:*:*:*:*:*:*:*",
"matchCriteriaId": "59A033CD-1DBC-44A4-9C56-1F97C3F40C6F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"descriptions": [
{
"lang": "en",
"value": "A CWE-20: Improper Input Validation vulnerability exists in PowerLogic EGX100 (Versions 3.0.0 and newer) and PowerLogic EGX300 (All Versions) that could cause denial of service or remote code execution via a specially crafted HTTP packet.This CVE ID is unique from CVE-2021-2276"
},
{
"lang": "es",
"value": "** NO COMPATIBLE CUANDO SE ASIGN\u00d3 ** UN CWE-20: Se presenta una vulnerabilidad de comprobaci\u00f3n inapropiada de la entrada en PowerLogic EGX100 (versiones 3.0.0 y posteriores) y PowerLogic EGX300 (todas las versiones) que podr\u00eda causar una denegaci\u00f3n de servicio o una ejecuci\u00f3n de c\u00f3digo remota por medio de un paquete HTTP especialmente dise\u00f1ado. Este ID de CVE es diferente de CVE-2021-22768"
}
],
"id": "CVE-2021-22767",
"lastModified": "2024-04-11T01:10:23.250",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-11T16:15:10.593",
"references": [
{
"source": "cybersecurity@se.com",
"tags": [
"Vendor Advisory"
],
"url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03"
}
],
"sourceIdentifier": "cybersecurity@se.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "cybersecurity@se.com",
"type": "Primary"
}
]
}
}
}
}
CERTFR-2021-AVI-443
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Schneider Electric. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Schneider Electric | N/A | Modicon X80 BMXNOR0200H RTU versions antérieures à SV1.70 IR22 | ||
| Schneider Electric | N/A | module Definition de IGSS (Interactive Graphical SCADA System) versions antérieures à 15.0.0.21141 | ||
| Schneider Electric | N/A | PowerLogic PM5560 et PM5563 versions antérieures à V2.7.8 | ||
| Schneider Electric | N/A | PowerLogic PM5561 et PM5562 versions antérieures à V2.5.4 | ||
| Schneider Electric | N/A | PowerLogic EGX100 et EGX300 (produits en fin de vie, aucun correctif n'est prévu) | ||
| Schneider Electric | N/A | PowerLogic PM8ECC toutes versions (produit en fin de vie, aucun correctif n'est prévu) | ||
| Schneider Electric | N/A | Enerlin’X Com’X versions antérieures à V6.8.4 | ||
| Schneider Electric | N/A | les produits Schneider Electric utilisant RockWell ISaGRAF (se référer au bulletin de sécurité SEVD-2021-159-04 de l'éditeur, cf. section Documentation) |
References
| Title | Publication Time | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Modicon X80 BMXNOR0200H RTU versions ant\u00e9rieures \u00e0 SV1.70 IR22",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "module Definition de IGSS (Interactive Graphical SCADA System) versions ant\u00e9rieures \u00e0 15.0.0.21141",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "PowerLogic PM5560 et PM5563 versions ant\u00e9rieures \u00e0 V2.7.8",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "PowerLogic PM5561 et PM5562 versions ant\u00e9rieures \u00e0 V2.5.4",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "PowerLogic EGX100 et EGX300 (produits en fin de vie, aucun correctif n\u0027est pr\u00e9vu)",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "PowerLogic PM8ECC toutes versions (produit en fin de vie, aucun correctif n\u0027est pr\u00e9vu)",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "Enerlin\u2019X Com\u2019X versions ant\u00e9rieures \u00e0 V6.8.4",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "les produits Schneider Electric utilisant RockWell ISaGRAF (se r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 SEVD-2021-159-04 de l\u0027\u00e9diteur, cf. section Documentation)",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2021-22753",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22753"
},
{
"name": "CVE-2021-22750",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22750"
},
{
"name": "CVE-2021-22763",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22763"
},
{
"name": "CVE-2021-22767",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22767"
},
{
"name": "CVE-2021-22754",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22754"
},
{
"name": "CVE-2021-22756",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22756"
},
{
"name": "CVE-2021-22765",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22765"
},
{
"name": "CVE-2021-22755",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22755"
},
{
"name": "CVE-2020-25176",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25176"
},
{
"name": "CVE-2021-22764",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22764"
},
{
"name": "CVE-2020-25178",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25178"
},
{
"name": "CVE-2021-22768",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22768"
},
{
"name": "CVE-2021-22749",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22749"
},
{
"name": "CVE-2021-22752",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22752"
},
{
"name": "CVE-2021-22760",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22760"
},
{
"name": "CVE-2020-25180",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25180"
},
{
"name": "CVE-2021-22766",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22766"
},
{
"name": "CVE-2021-22761",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22761"
},
{
"name": "CVE-2021-22758",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22758"
},
{
"name": "CVE-2021-22769",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22769"
},
{
"name": "CVE-2020-25184",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25184"
},
{
"name": "CVE-2021-22759",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22759"
},
{
"name": "CVE-2021-22751",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22751"
},
{
"name": "CVE-2021-22757",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22757"
},
{
"name": "CVE-2021-22762",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22762"
},
{
"name": "CVE-2020-25182",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25182"
}
],
"links": [],
"reference": "CERTFR-2021-AVI-443",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-06-09T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans\u00a0les produits\nSchneider Electric. Certaines d\u0027entre elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de\nservice \u00e0 distance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Schneider Electric",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-159-03 du 08 juin 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-159-04 du 08 juin 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-04"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-159-05 du 08 juin 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-05"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-159-01 du 08 juin 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-01"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-159-02 du 08 juin 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-02"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-159-06 du 08 juin 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-06"
}
]
}
CERTFR-2021-AVI-443
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Schneider Electric. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Schneider Electric | N/A | Modicon X80 BMXNOR0200H RTU versions antérieures à SV1.70 IR22 | ||
| Schneider Electric | N/A | module Definition de IGSS (Interactive Graphical SCADA System) versions antérieures à 15.0.0.21141 | ||
| Schneider Electric | N/A | PowerLogic PM5560 et PM5563 versions antérieures à V2.7.8 | ||
| Schneider Electric | N/A | PowerLogic PM5561 et PM5562 versions antérieures à V2.5.4 | ||
| Schneider Electric | N/A | PowerLogic EGX100 et EGX300 (produits en fin de vie, aucun correctif n'est prévu) | ||
| Schneider Electric | N/A | PowerLogic PM8ECC toutes versions (produit en fin de vie, aucun correctif n'est prévu) | ||
| Schneider Electric | N/A | Enerlin’X Com’X versions antérieures à V6.8.4 | ||
| Schneider Electric | N/A | les produits Schneider Electric utilisant RockWell ISaGRAF (se référer au bulletin de sécurité SEVD-2021-159-04 de l'éditeur, cf. section Documentation) |
References
| Title | Publication Time | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Modicon X80 BMXNOR0200H RTU versions ant\u00e9rieures \u00e0 SV1.70 IR22",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "module Definition de IGSS (Interactive Graphical SCADA System) versions ant\u00e9rieures \u00e0 15.0.0.21141",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "PowerLogic PM5560 et PM5563 versions ant\u00e9rieures \u00e0 V2.7.8",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "PowerLogic PM5561 et PM5562 versions ant\u00e9rieures \u00e0 V2.5.4",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "PowerLogic EGX100 et EGX300 (produits en fin de vie, aucun correctif n\u0027est pr\u00e9vu)",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "PowerLogic PM8ECC toutes versions (produit en fin de vie, aucun correctif n\u0027est pr\u00e9vu)",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "Enerlin\u2019X Com\u2019X versions ant\u00e9rieures \u00e0 V6.8.4",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "les produits Schneider Electric utilisant RockWell ISaGRAF (se r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 SEVD-2021-159-04 de l\u0027\u00e9diteur, cf. section Documentation)",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2021-22753",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22753"
},
{
"name": "CVE-2021-22750",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22750"
},
{
"name": "CVE-2021-22763",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22763"
},
{
"name": "CVE-2021-22767",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22767"
},
{
"name": "CVE-2021-22754",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22754"
},
{
"name": "CVE-2021-22756",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22756"
},
{
"name": "CVE-2021-22765",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22765"
},
{
"name": "CVE-2021-22755",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22755"
},
{
"name": "CVE-2020-25176",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25176"
},
{
"name": "CVE-2021-22764",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22764"
},
{
"name": "CVE-2020-25178",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25178"
},
{
"name": "CVE-2021-22768",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22768"
},
{
"name": "CVE-2021-22749",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22749"
},
{
"name": "CVE-2021-22752",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22752"
},
{
"name": "CVE-2021-22760",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22760"
},
{
"name": "CVE-2020-25180",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25180"
},
{
"name": "CVE-2021-22766",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22766"
},
{
"name": "CVE-2021-22761",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22761"
},
{
"name": "CVE-2021-22758",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22758"
},
{
"name": "CVE-2021-22769",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22769"
},
{
"name": "CVE-2020-25184",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25184"
},
{
"name": "CVE-2021-22759",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22759"
},
{
"name": "CVE-2021-22751",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22751"
},
{
"name": "CVE-2021-22757",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22757"
},
{
"name": "CVE-2021-22762",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22762"
},
{
"name": "CVE-2020-25182",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25182"
}
],
"links": [],
"reference": "CERTFR-2021-AVI-443",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-06-09T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans\u00a0les produits\nSchneider Electric. Certaines d\u0027entre elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de\nservice \u00e0 distance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Schneider Electric",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-159-03 du 08 juin 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-159-04 du 08 juin 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-04"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-159-05 du 08 juin 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-05"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-159-01 du 08 juin 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-01"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-159-02 du 08 juin 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-02"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-159-06 du 08 juin 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-06"
}
]
}
VAR-202106-0545
Vulnerability from variot - Updated: 2024-05-17 22:51A CWE-20: Improper Input Validation vulnerability exists in PowerLogic EGX100 (Versions 3.0.0 and newer) and PowerLogic EGX300 (All Versions) that could cause denial of service or remote code execution via a specially crafted HTTP packet.This CVE ID is unique from CVE-2021-2276. ** Not supported ** This is a vulnerability in an unsupported product. PowerLogic EGX100 and PowerLogic EGX300 There is an input verification vulnerability in. This vulnerability is CVE-2021-22768 Is a different vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Schneider Electric PowerLogic is an industrial control equipment of French Schneider Electric (Schneider Electric). Provide improved power factor to improve power quality, eliminate power failures, thereby protecting the network, devices and operators
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202106-0545",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "powerlogic egx100",
"scope": "gte",
"trust": 1.0,
"vendor": "schneider electric",
"version": "3.0.0"
},
{
"model": "powerlogic egx300",
"scope": "eq",
"trust": 1.0,
"vendor": "schneider electric",
"version": "*"
},
{
"model": "powerlogic egx100",
"scope": null,
"trust": 0.8,
"vendor": "schneider electric",
"version": null
},
{
"model": "powerlogic egx300",
"scope": null,
"trust": 0.8,
"vendor": "schneider electric",
"version": null
},
{
"model": "electric powerlogic egx100",
"scope": "gte",
"trust": 0.6,
"vendor": "schneider",
"version": "3.0.0"
},
{
"model": "electric powerlogic egx300",
"scope": null,
"trust": 0.6,
"vendor": "schneider",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-46281"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008273"
},
{
"db": "NVD",
"id": "CVE-2021-22767"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:schneider-electric:powerlogic_egx100_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:schneider-electric:powerlogic_egx100:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:schneider-electric:powerlogic_egx300_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:schneider-electric:powerlogic_egx300:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-22767"
}
]
},
"cve": "CVE-2021-22767",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 7.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2021-22767",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2021-46281",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2021-22767",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2021-22767",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "CNVD",
"id": "CNVD-2021-46281",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202106-992",
"trust": 0.6,
"value": "CRITICAL"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-46281"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008273"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-992"
},
{
"db": "NVD",
"id": "CVE-2021-22767"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A CWE-20: Improper Input Validation vulnerability exists in PowerLogic EGX100 (Versions 3.0.0 and newer) and PowerLogic EGX300 (All Versions) that could cause denial of service or remote code execution via a specially crafted HTTP packet.This CVE ID is unique from CVE-2021-2276. ** Not supported ** This is a vulnerability in an unsupported product. PowerLogic EGX100 and PowerLogic EGX300 There is an input verification vulnerability in. This vulnerability is CVE-2021-22768 Is a different vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Schneider Electric PowerLogic is an industrial control equipment of French Schneider Electric (Schneider Electric). Provide improved power factor to improve power quality, eliminate power failures, thereby protecting the network, devices and operators",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-22767"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008273"
},
{
"db": "CNVD",
"id": "CNVD-2021-46281"
}
],
"trust": 2.16
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-22767",
"trust": 3.8
},
{
"db": "SCHNEIDER",
"id": "SEVD-2021-159-03",
"trust": 2.2
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008273",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2021-46281",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202106-992",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-46281"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008273"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-992"
},
{
"db": "NVD",
"id": "CVE-2021-22767"
}
]
},
"id": "VAR-202106-0545",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-46281"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-46281"
}
]
},
"last_update_date": "2024-05-17T22:51:03.773000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "SEVD-2021-159-03",
"trust": 0.8,
"url": "https://download.schneider-electric.com/files?p_doc_ref=sevd-2021-159-03"
},
{
"title": "Patch for Schneider Electric PowerLogic input validation error vulnerability (CNVD-2021-46281)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/276461"
},
{
"title": "Schneider Electric PowerLogic Enter the fix for the verification error vulnerability",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=155014"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-46281"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008273"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-992"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-20",
"trust": 1.0
},
{
"problemtype": "Incorrect input confirmation (CWE-20) [ Other ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-008273"
},
{
"db": "NVD",
"id": "CVE-2021-22767"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.2,
"url": "http://download.schneider-electric.com/files?p_doc_ref=sevd-2021-159-03"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-22767"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-46281"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008273"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-992"
},
{
"db": "NVD",
"id": "CVE-2021-22767"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2021-46281"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008273"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-992"
},
{
"db": "NVD",
"id": "CVE-2021-22767"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-07-01T00:00:00",
"db": "CNVD",
"id": "CNVD-2021-46281"
},
{
"date": "2022-03-10T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-008273"
},
{
"date": "2021-06-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202106-992"
},
{
"date": "2021-06-11T16:15:10.593000",
"db": "NVD",
"id": "CVE-2021-22767"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-07-01T00:00:00",
"db": "CNVD",
"id": "CNVD-2021-46281"
},
{
"date": "2022-03-10T07:10:00",
"db": "JVNDB",
"id": "JVNDB-2021-008273"
},
{
"date": "2022-03-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202106-992"
},
{
"date": "2024-05-17T01:53:54.350000",
"db": "NVD",
"id": "CVE-2021-22767"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202106-992"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "PowerLogic\u00a0EGX100\u00a0 and \u00a0PowerLogic\u00a0EGX300\u00a0 Input confirmation vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-008273"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "input validation error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202106-992"
}
],
"trust": 0.6
}
}
Loading…
Show additional events:
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…