Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2021-22769 (GCVE-0-2021-22769)
Vulnerability from cvelistv5 – Published: 2021-06-11 15:40 – Updated: 2024-08-03 18:51
VLAI?
EPSS
Summary
A CWE-552: Files or Directories Accessible to External Parties vulnerability exists in Easergy T300 with firmware V2.7.1 and older that could expose files or directory content when access from an attacker is not restricted or incorrectly restricted.
Severity ?
No CVSS data available.
CWE
- CWE-552 - Files or Directories Accessible to External Parties
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Easergy T300 with firmware V2.7.1 and older |
Affected:
Easergy T300 with firmware V2.7.1 and older
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:51:07.463Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Easergy T300 with firmware V2.7.1 and older",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Easergy T300 with firmware V2.7.1 and older"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A CWE-552: Files or Directories Accessible to External Parties vulnerability exists in Easergy T300 with firmware V2.7.1 and older that could expose files or directory content when access from an attacker is not restricted or incorrectly restricted."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552: Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-21T10:40:05",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@schneider-electric.com",
"ID": "CVE-2021-22769",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Easergy T300 with firmware V2.7.1 and older",
"version": {
"version_data": [
{
"version_value": "Easergy T300 with firmware V2.7.1 and older"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A CWE-552: Files or Directories Accessible to External Parties vulnerability exists in Easergy T300 with firmware V2.7.1 and older that could expose files or directory content when access from an attacker is not restricted or incorrectly restricted."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-552: Files or Directories Accessible to External Parties"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-02",
"refsource": "MISC",
"url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2021-22769",
"datePublished": "2021-06-11T15:40:47",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-08-03T18:51:07.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:schneider-electric:easergy_t300_firmware:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"2.7.1\", \"matchCriteriaId\": \"E07AFED6-47CC-4A19-80DB-C537F4F07736\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:schneider-electric:easergy_t300:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"45E6C3FA-001D-449A-A512-327FA0C9AC5A\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"A CWE-552: Files or Directories Accessible to External Parties vulnerability exists in Easergy T300 with firmware V2.7.1 and older that could expose files or directory content when access from an attacker is not restricted or incorrectly restricted.\"}, {\"lang\": \"es\", \"value\": \"Un CWE-552: Archivos o directorios accesibles a partes externas en el Easergy T300 con firmware versi\\u00f3n V2.7.1 y anterior que podr\\u00eda exponer el contenido de archivos o directorios cuando el acceso de un atacante no est\\u00e1 restringido o est\\u00e1 restringido incorrectamente.\"}]",
"id": "CVE-2021-22769",
"lastModified": "2024-11-21T05:50:37.887",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:N/A:N\", \"baseScore\": 4.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2021-06-11T16:15:10.730",
"references": "[{\"url\": \"http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-02\", \"source\": \"cybersecurity@se.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-02\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "cybersecurity@se.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"cybersecurity@se.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-552\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-22769\",\"sourceIdentifier\":\"cybersecurity@se.com\",\"published\":\"2021-06-11T16:15:10.730\",\"lastModified\":\"2024-11-21T05:50:37.887\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A CWE-552: Files or Directories Accessible to External Parties vulnerability exists in Easergy T300 with firmware V2.7.1 and older that could expose files or directory content when access from an attacker is not restricted or incorrectly restricted.\"},{\"lang\":\"es\",\"value\":\"Un CWE-552: Archivos o directorios accesibles a partes externas en el Easergy T300 con firmware versi\u00f3n V2.7.1 y anterior que podr\u00eda exponer el contenido de archivos o directorios cuando el acceso de un atacante no est\u00e1 restringido o est\u00e1 restringido incorrectamente.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:N/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cybersecurity@se.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-552\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:schneider-electric:easergy_t300_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.7.1\",\"matchCriteriaId\":\"E07AFED6-47CC-4A19-80DB-C537F4F07736\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:schneider-electric:easergy_t300:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"45E6C3FA-001D-449A-A512-327FA0C9AC5A\"}]}]}],\"references\":[{\"url\":\"http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-02\",\"source\":\"cybersecurity@se.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-02\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
VAR-202106-0547
Vulnerability from variot - Updated: 2022-05-06 07:05A CWE-552: Files or Directories Accessible to External Parties vulnerability exists in Easergy T300 with firmware V2.7.1 and older that could expose files or directory content when access from an attacker is not restricted or incorrectly restricted. Schneider Electric Provided by the company Enerlin'X Com'X 510 Inappropriate permission management vulnerability (CWE-269 , CVE-2021-22769) ExistsWhen the authenticated user receives a specially crafted request for the device, the device configuration information without viewing authority is disclosed. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202106-0547",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "easergy t300",
"scope": "lte",
"trust": 1.0,
"vendor": "schneider electric",
"version": "2.7.1"
},
{
"model": "enerlin\u0027x com\u0027x 510",
"scope": "eq",
"trust": 0.8,
"vendor": "schneider electric",
"version": null
},
{
"model": "enerlin\u0027x com\u0027x 510",
"scope": "eq",
"trust": 0.8,
"vendor": "schneider electric",
"version": "v6.8.4 all earlier s"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-001891"
},
{
"db": "NVD",
"id": "CVE-2021-22769"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:schneider-electric:easergy_t300_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.7.1",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:schneider-electric:easergy_t300:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:schneider-electric:easergy_t300_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.7.1",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:schneider-electric:easergy_t300:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-22769"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Maxim Rupp reported this vulnerability to CISA.",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202106-978"
}
],
"trust": 0.6
},
"cve": "CVE-2021-22769",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"id": "CVE-2021-22769",
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"id": "CVE-2021-22769",
"impactScore": 1.4,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "IPA",
"availabilityImpact": "None",
"baseScore": 8.5,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2021-001891",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "Low",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2021-22769",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "IPA",
"id": "JVNDB-2021-001891",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202106-978",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-001891"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-978"
},
{
"db": "NVD",
"id": "CVE-2021-22769"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A CWE-552: Files or Directories Accessible to External Parties vulnerability exists in Easergy T300 with firmware V2.7.1 and older that could expose files or directory content when access from an attacker is not restricted or incorrectly restricted. Schneider Electric Provided by the company Enerlin\u0027X Com\u0027X 510 Inappropriate permission management vulnerability (CWE-269 , CVE-2021-22769) ExistsWhen the authenticated user receives a specially crafted request for the device, the device configuration information without viewing authority is disclosed. Pillow is a Python-based image processing library. \nThere is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-22769"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-001891"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
}
],
"trust": 2.16
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-22769",
"trust": 2.4
},
{
"db": "ICS CERT",
"id": "ICSA-21-168-01",
"trust": 1.4
},
{
"db": "SCHNEIDER",
"id": "SEVD-2021-194-02",
"trust": 1.0
},
{
"db": "JVN",
"id": "JVNVU93458321",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2021-001891",
"trust": 0.8
},
{
"db": "CS-HELP",
"id": "SB2021041363",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021061804",
"trust": 0.6
},
{
"db": "SCHNEIDER",
"id": "SEVD-2021-159-06",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.2172",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202106-978",
"trust": 0.6
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-001891"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-978"
},
{
"db": "NVD",
"id": "CVE-2021-22769"
}
]
},
"id": "VAR-202106-0547",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.5843179
},
"last_update_date": "2022-05-06T07:05:23.297000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Schneider\u00a0Electric\u00a0Security\u00a0Notification\u00a0Enerlin\u0027X\u00a0Com \u2019 X\u00a0510",
"trust": 0.8,
"url": "https://download.schneider-electric.com/files?p_doc_ref=sevd-2021-159-06"
},
{
"title": "Schneider Electric Enerlin\u00d5X Com\u00d5X Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=155012"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-001891"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-978"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-552",
"trust": 1.0
},
{
"problemtype": "Improper authority management (CWE-269) [IPA Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-001891"
},
{
"db": "NVD",
"id": "CVE-2021-22769"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.4,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-168-01"
},
{
"trust": 1.0,
"url": "http://download.schneider-electric.com/files?p_doc_ref=sevd-2021-194-02"
},
{
"trust": 0.8,
"url": "http://jvn.jp/cert/jvnvu93458321"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021041363"
},
{
"trust": 0.6,
"url": "http://download.schneider-electric.com/files?p_doc_ref=sevd-2021-159-06"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021061804"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.2172"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-22769"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-001891"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-978"
},
{
"db": "NVD",
"id": "CVE-2021-22769"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "JVNDB",
"id": "JVNDB-2021-001891"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-978"
},
{
"db": "NVD",
"id": "CVE-2021-22769"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-06-21T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-001891"
},
{
"date": "2021-04-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2021-06-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202106-978"
},
{
"date": "2021-06-11T16:15:00",
"db": "NVD",
"id": "CVE-2021-22769"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-06-21T08:25:00",
"db": "JVNDB",
"id": "JVNDB-2021-001891"
},
{
"date": "2021-04-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2021-07-26T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202106-978"
},
{
"date": "2021-09-20T13:51:00",
"db": "NVD",
"id": "CVE-2021-22769"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202106-978"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Schneider\u00a0Electric\u00a0 Made \u00a0Enerlin\u0027X\u00a0Com\u0027X\u00a0510\u00a0 Improper permission management vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-001891"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-978"
}
],
"trust": 1.2
}
}
ICSA-21-168-01
Vulnerability from csaf_cisa - Published: 2021-06-17 00:00 - Updated: 2021-06-17 00:00Summary
Schneider Electric Enerlin'X Com 'X 510
Notes
CISA Disclaimer
This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Risk evaluation
Successful exploitation of this vulnerability could allow elevation of privileges, which could result in unintended disclosure of device configuration information to any authenticated user.
Critical infrastructure sectors
Energy
Countries/areas deployed
Worldwide
Company headquarters location
France
Recommended Practices
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
Recommended Practices
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
Exploitability
No known public exploits specifically target this vulnerability.
{
"document": {
"acknowledgments": [
{
"names": [
"Maxim Rupp"
],
"summary": "reporting this vulnerability to CISA"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
"title": "CISA Disclaimer"
},
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "summary",
"text": "Successful exploitation of this vulnerability could allow elevation of privileges, which could result in unintended disclosure of device configuration information to any authenticated user.",
"title": "Risk evaluation"
},
{
"category": "other",
"text": "Energy",
"title": "Critical infrastructure sectors"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries/areas deployed"
},
{
"category": "other",
"text": "France",
"title": "Company headquarters location"
},
{
"category": "general",
"text": "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.",
"title": "Recommended Practices"
},
{
"category": "other",
"text": "No known public exploits specifically target this vulnerability.",
"title": "Exploitability"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSA-21-168-01 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2021/icsa-21-168-01.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-21-168-01 Web Version",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-21-168-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B"
}
],
"title": "Schneider Electric Enerlin\u0027X Com \u0027X 510",
"tracking": {
"current_release_date": "2021-06-17T00:00:00.000000Z",
"generator": {
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSA-21-168-01",
"initial_release_date": "2021-06-17T00:00:00.000000Z",
"revision_history": [
{
"date": "2021-06-17T00:00:00.000000Z",
"legacy_version": "Initial",
"number": "1",
"summary": "ICSA-21-168-01 Schneider Electric EnerlinX ComX 510"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c 6.8.4",
"product": {
"name": "Enerlin\u0027X Com\u0027X 510: All versions prior to v6.8.4",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "Enerlin\u0027X Com\u0027X 510"
}
],
"category": "vendor",
"name": "Schneider Electric Software, LLC"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-22769",
"cwe": {
"id": "CWE-269",
"name": "Improper Privilege Management"
},
"notes": [
{
"category": "summary",
"text": "This vulnerability may allow disclosure of device configuration information to any authenticated user when a specially crafted request is sent to the device.CVE-2021-22769 has been assigned to this vulnerability. A CVSS v3 base score of 8.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22769"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N"
}
],
"remediations": [
{
"category": "mitigation",
"details": "If the Guest account password on the device remains set to the default value, users should immediately change the account password to one that is unique and has a strong value.",
"product_ids": [
"CSAFPID-0001"
]
},
{
"category": "mitigation",
"details": "Users who have configured their Com\u0027X 510 device to access remote SMTP, FTP, or HTTPS services should immediately change access passwords on the affected services and update the Com\u0027X configuration.",
"product_ids": [
"CSAFPID-0001"
]
},
{
"category": "vendor_fix",
"details": "To further reduce the risk, apply v6.8.4 or later of the Enerlin\u0027X Com\u0027X 510 firmware.",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://www.se.com/ww/en/download/document/ComX_510_v6.8.4/"
},
{
"category": "mitigation",
"details": "For additional information on this vulnerability, see Schneider Electric\u0027s security notification SEVD-2021-159-06",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-06"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
]
}
]
}
CERTFR-2021-AVI-517
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Schneider. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire, un dénis de service, un contournement de la politique de sécurité et une atteinte à l'intégrité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
- EcoStruxure Control Expert toutes versions (versions Unity Pro inclus) antérieures 15.0 SP1
- EcoStruxure Control Expert version antérieures à V15.0 SP1 sans le dernier correctif
- EcoStruxure Process Expert toutes versions (versions EcoStruxure Hybrid DCS inclus)
- SCADAPack RemoteConnect for x70 toutes versions
- Modicon M580 CPU (part numbers BMEP* et BMEH*) toutes versions
- Modicon M340 CPU (part numbers BMXP34*) toutes versions
- SoSafe Configurable versions antérieures à 1.8.1
- C-Bus Toolkit versions antérieures à 1.15.9
- Easergy T300 avec un microgiciel (firmware) en versions antérieures à 2.8
- Easergy T200 (Modbus) versions antérieures à SC2-04MOD-07000103
- Easergy T200 (IEC104) versions antérieures à SC2-04IEC-07000103
- Easergy T200 (DNP3) versions antérieures à SC2-04DNP-07000103
- EVlink CityEVC1S22P4 / EVC1S7P4 versions antérieures à R8 V3.4.0.1
- EVlink ParkingEVW2 / EVF2 / EV.2 versions antérieures à R8 V3.4.0.1
- EVlink Smart WallboxEVB1A versions antérieures à R8 V3.4.0.1
Note : Actuellement, aucun correctif n'est proposé pour les vulnérabilités dans les produits EcoStruxure Process Expert, Modicon M580, Modicon M340 et SCADAPack. Cependant des mesures de contournement sont proposées par l'éditeur pour les produits Modicon M580 et M340 afin de réduire le risque et l'impact d'exploitation de la CVE-2021-22779.
Impacted products
| Vendor | Product | Description |
|---|
References
| Title | Publication Time | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [],
"affected_systems_content": "\u003cul\u003e \u003cli\u003eEcoStruxure Control Expert toutes versions (versions Unity Pro inclus) ant\u00e9rieures 15.0 SP1\u003c/li\u003e \u003cli\u003eEcoStruxure Control Expert version ant\u00e9rieures \u00e0 V15.0 SP1 sans le dernier correctif\u003c/li\u003e \u003cli\u003eEcoStruxure Process Expert toutes versions (versions EcoStruxure Hybrid DCS inclus)\u003c/li\u003e \u003cli\u003eSCADAPack RemoteConnect for x70 toutes versions\u003c/li\u003e \u003cli\u003eModicon M580 CPU (part numbers BMEP* et BMEH*) toutes versions\u003c/li\u003e \u003cli\u003eModicon M340 CPU (part numbers BMXP34*) toutes versions\u003c/li\u003e \u003cli\u003eSoSafe Configurable versions ant\u00e9rieures \u00e0 1.8.1\u003c/li\u003e \u003cli\u003eC-Bus Toolkit versions ant\u00e9rieures \u00e0 1.15.9\u003c/li\u003e \u003cli\u003eEasergy T300 avec un microgiciel (firmware) en versions ant\u00e9rieures \u00e0 2.8\u003c/li\u003e \u003cli\u003eEasergy T200 (Modbus) versions ant\u00e9rieures \u00e0 SC2-04MOD-07000103\u003c/li\u003e \u003cli\u003eEasergy T200 (IEC104) versions ant\u00e9rieures \u00e0 SC2-04IEC-07000103\u003c/li\u003e \u003cli\u003eEasergy T200 (DNP3) versions ant\u00e9rieures \u00e0 SC2-04DNP-07000103\u003c/li\u003e \u003cli\u003eEVlink CityEVC1S22P4 / EVC1S7P4 versions ant\u00e9rieures \u00e0 R8 V3.4.0.1\u003c/li\u003e \u003cli\u003eEVlink ParkingEVW2 / EVF2 / EV.2 versions ant\u00e9rieures \u00e0 R8 V3.4.0.1\u003c/li\u003e \u003cli\u003eEVlink Smart WallboxEVB1A versions ant\u00e9rieures \u00e0 R8 V3.4.0.1\u003c/li\u003e \u003c/ul\u003e \u003cp\u003e\u003cem\u003eNote : Actuellement, aucun correctif n\u0027est propos\u00e9 pour les vuln\u00e9rabilit\u00e9s dans les produits EcoStruxure Process Expert, Modicon M580, Modicon M340 et SCADAPack. Cependant des mesures de contournement sont propos\u00e9es par l\u0027\u00e9diteur pour les produits Modicon M580 et M340 afin de r\u00e9duire le risque et l\u0027impact d\u0027exploitation de la CVE-2021-22779.\u003c/em\u003e\u003c/p\u003e ",
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2021-22771",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22771"
},
{
"name": "CVE-2021-22721",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22721"
},
{
"name": "CVE-2021-22779",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22779"
},
{
"name": "CVE-2021-22781",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22781"
},
{
"name": "CVE-2021-22777",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22777"
},
{
"name": "CVE-2021-22780",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22780"
},
{
"name": "CVE-2021-22729",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22729"
},
{
"name": "CVE-2021-22708",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22708"
},
{
"name": "CVE-2021-22727",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22727"
},
{
"name": "CVE-2021-22774",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22774"
},
{
"name": "CVE-2021-22773",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22773"
},
{
"name": "CVE-2021-22706",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22706"
},
{
"name": "CVE-2021-22782",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22782"
},
{
"name": "CVE-2021-22778",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22778"
},
{
"name": "CVE-2021-22728",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22728"
},
{
"name": "CVE-2021-22730",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22730"
},
{
"name": "CVE-2021-22770",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22770"
},
{
"name": "CVE-2021-22784",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22784"
},
{
"name": "CVE-2021-22769",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22769"
},
{
"name": "CVE-2021-22723",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22723"
},
{
"name": "CVE-2021-22726",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22726"
},
{
"name": "CVE-2021-22722",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22722"
},
{
"name": "CVE-2020-12525",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-12525"
},
{
"name": "CVE-2021-22772",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22772"
},
{
"name": "CVE-2021-22707",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22707"
}
],
"links": [],
"reference": "CERTFR-2021-AVI-517",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-07-13T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSchneider. Certaines d\u0027entre elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire, un d\u00e9nis de service, un\ncontournement de la politique de s\u00e9curit\u00e9 et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9\ndes donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Schneider",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-194-04 du 13 juillet 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-04"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-194-03 du 13 juillet 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-03"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-194-02 du 13 juillet 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-02"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-194-05 du 13 juillet 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-05"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-194-06 du 13 juillet 2021",
"url": "https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet\u0026p_File_Name=SEVD-2021-194-06_EVlink_City_Parking_SmartWallbox_Charging_Stations_Security_Notification.pdf\u0026p_Doc_Ref=SEVD-2021-194-06"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-194-01 du 13 juillet 2021",
"url": "https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet\u0026p_File_Name=SEVD-2021-194-01_EcoStruxure_Control_Expert_Process_Expert_SCADAPack_RemoteConnect_Modicon_M580_M340.pdf\u0026p_Doc_Ref=SEVD-2021-194-01"
}
]
}
CERTFR-2021-AVI-443
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Schneider Electric. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Schneider Electric | N/A | Modicon X80 BMXNOR0200H RTU versions antérieures à SV1.70 IR22 | ||
| Schneider Electric | N/A | module Definition de IGSS (Interactive Graphical SCADA System) versions antérieures à 15.0.0.21141 | ||
| Schneider Electric | N/A | PowerLogic PM5560 et PM5563 versions antérieures à V2.7.8 | ||
| Schneider Electric | N/A | PowerLogic PM5561 et PM5562 versions antérieures à V2.5.4 | ||
| Schneider Electric | N/A | PowerLogic EGX100 et EGX300 (produits en fin de vie, aucun correctif n'est prévu) | ||
| Schneider Electric | N/A | PowerLogic PM8ECC toutes versions (produit en fin de vie, aucun correctif n'est prévu) | ||
| Schneider Electric | N/A | Enerlin’X Com’X versions antérieures à V6.8.4 | ||
| Schneider Electric | N/A | les produits Schneider Electric utilisant RockWell ISaGRAF (se référer au bulletin de sécurité SEVD-2021-159-04 de l'éditeur, cf. section Documentation) |
References
| Title | Publication Time | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Modicon X80 BMXNOR0200H RTU versions ant\u00e9rieures \u00e0 SV1.70 IR22",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "module Definition de IGSS (Interactive Graphical SCADA System) versions ant\u00e9rieures \u00e0 15.0.0.21141",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "PowerLogic PM5560 et PM5563 versions ant\u00e9rieures \u00e0 V2.7.8",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "PowerLogic PM5561 et PM5562 versions ant\u00e9rieures \u00e0 V2.5.4",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "PowerLogic EGX100 et EGX300 (produits en fin de vie, aucun correctif n\u0027est pr\u00e9vu)",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "PowerLogic PM8ECC toutes versions (produit en fin de vie, aucun correctif n\u0027est pr\u00e9vu)",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "Enerlin\u2019X Com\u2019X versions ant\u00e9rieures \u00e0 V6.8.4",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "les produits Schneider Electric utilisant RockWell ISaGRAF (se r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 SEVD-2021-159-04 de l\u0027\u00e9diteur, cf. section Documentation)",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2021-22753",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22753"
},
{
"name": "CVE-2021-22750",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22750"
},
{
"name": "CVE-2021-22763",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22763"
},
{
"name": "CVE-2021-22767",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22767"
},
{
"name": "CVE-2021-22754",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22754"
},
{
"name": "CVE-2021-22756",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22756"
},
{
"name": "CVE-2021-22765",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22765"
},
{
"name": "CVE-2021-22755",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22755"
},
{
"name": "CVE-2020-25176",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25176"
},
{
"name": "CVE-2021-22764",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22764"
},
{
"name": "CVE-2020-25178",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25178"
},
{
"name": "CVE-2021-22768",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22768"
},
{
"name": "CVE-2021-22749",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22749"
},
{
"name": "CVE-2021-22752",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22752"
},
{
"name": "CVE-2021-22760",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22760"
},
{
"name": "CVE-2020-25180",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25180"
},
{
"name": "CVE-2021-22766",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22766"
},
{
"name": "CVE-2021-22761",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22761"
},
{
"name": "CVE-2021-22758",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22758"
},
{
"name": "CVE-2021-22769",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22769"
},
{
"name": "CVE-2020-25184",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25184"
},
{
"name": "CVE-2021-22759",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22759"
},
{
"name": "CVE-2021-22751",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22751"
},
{
"name": "CVE-2021-22757",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22757"
},
{
"name": "CVE-2021-22762",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22762"
},
{
"name": "CVE-2020-25182",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25182"
}
],
"links": [],
"reference": "CERTFR-2021-AVI-443",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-06-09T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans\u00a0les produits\nSchneider Electric. Certaines d\u0027entre elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de\nservice \u00e0 distance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Schneider Electric",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-159-03 du 08 juin 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-159-04 du 08 juin 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-04"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-159-05 du 08 juin 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-05"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-159-01 du 08 juin 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-01"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-159-02 du 08 juin 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-02"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-159-06 du 08 juin 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-06"
}
]
}
CERTFR-2021-AVI-443
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Schneider Electric. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Schneider Electric | N/A | Modicon X80 BMXNOR0200H RTU versions antérieures à SV1.70 IR22 | ||
| Schneider Electric | N/A | module Definition de IGSS (Interactive Graphical SCADA System) versions antérieures à 15.0.0.21141 | ||
| Schneider Electric | N/A | PowerLogic PM5560 et PM5563 versions antérieures à V2.7.8 | ||
| Schneider Electric | N/A | PowerLogic PM5561 et PM5562 versions antérieures à V2.5.4 | ||
| Schneider Electric | N/A | PowerLogic EGX100 et EGX300 (produits en fin de vie, aucun correctif n'est prévu) | ||
| Schneider Electric | N/A | PowerLogic PM8ECC toutes versions (produit en fin de vie, aucun correctif n'est prévu) | ||
| Schneider Electric | N/A | Enerlin’X Com’X versions antérieures à V6.8.4 | ||
| Schneider Electric | N/A | les produits Schneider Electric utilisant RockWell ISaGRAF (se référer au bulletin de sécurité SEVD-2021-159-04 de l'éditeur, cf. section Documentation) |
References
| Title | Publication Time | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Modicon X80 BMXNOR0200H RTU versions ant\u00e9rieures \u00e0 SV1.70 IR22",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "module Definition de IGSS (Interactive Graphical SCADA System) versions ant\u00e9rieures \u00e0 15.0.0.21141",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "PowerLogic PM5560 et PM5563 versions ant\u00e9rieures \u00e0 V2.7.8",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "PowerLogic PM5561 et PM5562 versions ant\u00e9rieures \u00e0 V2.5.4",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "PowerLogic EGX100 et EGX300 (produits en fin de vie, aucun correctif n\u0027est pr\u00e9vu)",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "PowerLogic PM8ECC toutes versions (produit en fin de vie, aucun correctif n\u0027est pr\u00e9vu)",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "Enerlin\u2019X Com\u2019X versions ant\u00e9rieures \u00e0 V6.8.4",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "les produits Schneider Electric utilisant RockWell ISaGRAF (se r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 SEVD-2021-159-04 de l\u0027\u00e9diteur, cf. section Documentation)",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2021-22753",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22753"
},
{
"name": "CVE-2021-22750",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22750"
},
{
"name": "CVE-2021-22763",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22763"
},
{
"name": "CVE-2021-22767",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22767"
},
{
"name": "CVE-2021-22754",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22754"
},
{
"name": "CVE-2021-22756",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22756"
},
{
"name": "CVE-2021-22765",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22765"
},
{
"name": "CVE-2021-22755",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22755"
},
{
"name": "CVE-2020-25176",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25176"
},
{
"name": "CVE-2021-22764",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22764"
},
{
"name": "CVE-2020-25178",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25178"
},
{
"name": "CVE-2021-22768",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22768"
},
{
"name": "CVE-2021-22749",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22749"
},
{
"name": "CVE-2021-22752",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22752"
},
{
"name": "CVE-2021-22760",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22760"
},
{
"name": "CVE-2020-25180",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25180"
},
{
"name": "CVE-2021-22766",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22766"
},
{
"name": "CVE-2021-22761",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22761"
},
{
"name": "CVE-2021-22758",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22758"
},
{
"name": "CVE-2021-22769",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22769"
},
{
"name": "CVE-2020-25184",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25184"
},
{
"name": "CVE-2021-22759",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22759"
},
{
"name": "CVE-2021-22751",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22751"
},
{
"name": "CVE-2021-22757",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22757"
},
{
"name": "CVE-2021-22762",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22762"
},
{
"name": "CVE-2020-25182",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25182"
}
],
"links": [],
"reference": "CERTFR-2021-AVI-443",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-06-09T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans\u00a0les produits\nSchneider Electric. Certaines d\u0027entre elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de\nservice \u00e0 distance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Schneider Electric",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-159-03 du 08 juin 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-159-04 du 08 juin 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-04"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-159-05 du 08 juin 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-05"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-159-01 du 08 juin 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-01"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-159-02 du 08 juin 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-02"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-159-06 du 08 juin 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-06"
}
]
}
CERTFR-2021-AVI-517
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Schneider. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire, un dénis de service, un contournement de la politique de sécurité et une atteinte à l'intégrité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
- EcoStruxure Control Expert toutes versions (versions Unity Pro inclus) antérieures 15.0 SP1
- EcoStruxure Control Expert version antérieures à V15.0 SP1 sans le dernier correctif
- EcoStruxure Process Expert toutes versions (versions EcoStruxure Hybrid DCS inclus)
- SCADAPack RemoteConnect for x70 toutes versions
- Modicon M580 CPU (part numbers BMEP* et BMEH*) toutes versions
- Modicon M340 CPU (part numbers BMXP34*) toutes versions
- SoSafe Configurable versions antérieures à 1.8.1
- C-Bus Toolkit versions antérieures à 1.15.9
- Easergy T300 avec un microgiciel (firmware) en versions antérieures à 2.8
- Easergy T200 (Modbus) versions antérieures à SC2-04MOD-07000103
- Easergy T200 (IEC104) versions antérieures à SC2-04IEC-07000103
- Easergy T200 (DNP3) versions antérieures à SC2-04DNP-07000103
- EVlink CityEVC1S22P4 / EVC1S7P4 versions antérieures à R8 V3.4.0.1
- EVlink ParkingEVW2 / EVF2 / EV.2 versions antérieures à R8 V3.4.0.1
- EVlink Smart WallboxEVB1A versions antérieures à R8 V3.4.0.1
Note : Actuellement, aucun correctif n'est proposé pour les vulnérabilités dans les produits EcoStruxure Process Expert, Modicon M580, Modicon M340 et SCADAPack. Cependant des mesures de contournement sont proposées par l'éditeur pour les produits Modicon M580 et M340 afin de réduire le risque et l'impact d'exploitation de la CVE-2021-22779.
Impacted products
| Vendor | Product | Description |
|---|
References
| Title | Publication Time | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [],
"affected_systems_content": "\u003cul\u003e \u003cli\u003eEcoStruxure Control Expert toutes versions (versions Unity Pro inclus) ant\u00e9rieures 15.0 SP1\u003c/li\u003e \u003cli\u003eEcoStruxure Control Expert version ant\u00e9rieures \u00e0 V15.0 SP1 sans le dernier correctif\u003c/li\u003e \u003cli\u003eEcoStruxure Process Expert toutes versions (versions EcoStruxure Hybrid DCS inclus)\u003c/li\u003e \u003cli\u003eSCADAPack RemoteConnect for x70 toutes versions\u003c/li\u003e \u003cli\u003eModicon M580 CPU (part numbers BMEP* et BMEH*) toutes versions\u003c/li\u003e \u003cli\u003eModicon M340 CPU (part numbers BMXP34*) toutes versions\u003c/li\u003e \u003cli\u003eSoSafe Configurable versions ant\u00e9rieures \u00e0 1.8.1\u003c/li\u003e \u003cli\u003eC-Bus Toolkit versions ant\u00e9rieures \u00e0 1.15.9\u003c/li\u003e \u003cli\u003eEasergy T300 avec un microgiciel (firmware) en versions ant\u00e9rieures \u00e0 2.8\u003c/li\u003e \u003cli\u003eEasergy T200 (Modbus) versions ant\u00e9rieures \u00e0 SC2-04MOD-07000103\u003c/li\u003e \u003cli\u003eEasergy T200 (IEC104) versions ant\u00e9rieures \u00e0 SC2-04IEC-07000103\u003c/li\u003e \u003cli\u003eEasergy T200 (DNP3) versions ant\u00e9rieures \u00e0 SC2-04DNP-07000103\u003c/li\u003e \u003cli\u003eEVlink CityEVC1S22P4 / EVC1S7P4 versions ant\u00e9rieures \u00e0 R8 V3.4.0.1\u003c/li\u003e \u003cli\u003eEVlink ParkingEVW2 / EVF2 / EV.2 versions ant\u00e9rieures \u00e0 R8 V3.4.0.1\u003c/li\u003e \u003cli\u003eEVlink Smart WallboxEVB1A versions ant\u00e9rieures \u00e0 R8 V3.4.0.1\u003c/li\u003e \u003c/ul\u003e \u003cp\u003e\u003cem\u003eNote : Actuellement, aucun correctif n\u0027est propos\u00e9 pour les vuln\u00e9rabilit\u00e9s dans les produits EcoStruxure Process Expert, Modicon M580, Modicon M340 et SCADAPack. Cependant des mesures de contournement sont propos\u00e9es par l\u0027\u00e9diteur pour les produits Modicon M580 et M340 afin de r\u00e9duire le risque et l\u0027impact d\u0027exploitation de la CVE-2021-22779.\u003c/em\u003e\u003c/p\u003e ",
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2021-22771",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22771"
},
{
"name": "CVE-2021-22721",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22721"
},
{
"name": "CVE-2021-22779",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22779"
},
{
"name": "CVE-2021-22781",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22781"
},
{
"name": "CVE-2021-22777",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22777"
},
{
"name": "CVE-2021-22780",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22780"
},
{
"name": "CVE-2021-22729",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22729"
},
{
"name": "CVE-2021-22708",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22708"
},
{
"name": "CVE-2021-22727",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22727"
},
{
"name": "CVE-2021-22774",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22774"
},
{
"name": "CVE-2021-22773",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22773"
},
{
"name": "CVE-2021-22706",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22706"
},
{
"name": "CVE-2021-22782",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22782"
},
{
"name": "CVE-2021-22778",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22778"
},
{
"name": "CVE-2021-22728",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22728"
},
{
"name": "CVE-2021-22730",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22730"
},
{
"name": "CVE-2021-22770",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22770"
},
{
"name": "CVE-2021-22784",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22784"
},
{
"name": "CVE-2021-22769",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22769"
},
{
"name": "CVE-2021-22723",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22723"
},
{
"name": "CVE-2021-22726",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22726"
},
{
"name": "CVE-2021-22722",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22722"
},
{
"name": "CVE-2020-12525",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-12525"
},
{
"name": "CVE-2021-22772",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22772"
},
{
"name": "CVE-2021-22707",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22707"
}
],
"links": [],
"reference": "CERTFR-2021-AVI-517",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-07-13T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSchneider. Certaines d\u0027entre elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire, un d\u00e9nis de service, un\ncontournement de la politique de s\u00e9curit\u00e9 et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9\ndes donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Schneider",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-194-04 du 13 juillet 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-04"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-194-03 du 13 juillet 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-03"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-194-02 du 13 juillet 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-02"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-194-05 du 13 juillet 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-05"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-194-06 du 13 juillet 2021",
"url": "https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet\u0026p_File_Name=SEVD-2021-194-06_EVlink_City_Parking_SmartWallbox_Charging_Stations_Security_Notification.pdf\u0026p_Doc_Ref=SEVD-2021-194-06"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-194-01 du 13 juillet 2021",
"url": "https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet\u0026p_File_Name=SEVD-2021-194-01_EcoStruxure_Control_Expert_Process_Expert_SCADAPack_RemoteConnect_Modicon_M580_M340.pdf\u0026p_Doc_Ref=SEVD-2021-194-01"
}
]
}
GHSA-979H-W3GC-XRMQ
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28
VLAI?
Details
A CWE-269: Improper Privilege Management vulnerability exists in EnerlinÕX ComÕX versions prior to V6.8.4 that could cause disclosure of device configuration information to any authenticated user when a specially crafted request is sent to the device.
{
"affected": [],
"aliases": [
"CVE-2021-22769"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-11T16:15:00Z",
"severity": "MODERATE"
},
"details": "A CWE-269: Improper Privilege Management vulnerability exists in Enerlin\u00d5X Com\u00d5X versions prior to V6.8.4 that could cause disclosure of device configuration information to any authenticated user when a specially crafted request is sent to the device.",
"id": "GHSA-979h-w3gc-xrmq",
"modified": "2022-05-24T22:28:29Z",
"published": "2022-05-24T22:28:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22769"
},
{
"type": "WEB",
"url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-06"
}
],
"schema_version": "1.4.0",
"severity": []
}
FKIE_CVE-2021-22769
Vulnerability from fkie_nvd - Published: 2021-06-11 16:15 - Updated: 2024-11-21 05:50
Severity ?
Summary
A CWE-552: Files or Directories Accessible to External Parties vulnerability exists in Easergy T300 with firmware V2.7.1 and older that could expose files or directory content when access from an attacker is not restricted or incorrectly restricted.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| schneider-electric | easergy_t300_firmware | * | |
| schneider-electric | easergy_t300 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:schneider-electric:easergy_t300_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E07AFED6-47CC-4A19-80DB-C537F4F07736",
"versionEndIncluding": "2.7.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:schneider-electric:easergy_t300:-:*:*:*:*:*:*:*",
"matchCriteriaId": "45E6C3FA-001D-449A-A512-327FA0C9AC5A",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-552: Files or Directories Accessible to External Parties vulnerability exists in Easergy T300 with firmware V2.7.1 and older that could expose files or directory content when access from an attacker is not restricted or incorrectly restricted."
},
{
"lang": "es",
"value": "Un CWE-552: Archivos o directorios accesibles a partes externas en el Easergy T300 con firmware versi\u00f3n V2.7.1 y anterior que podr\u00eda exponer el contenido de archivos o directorios cuando el acceso de un atacante no est\u00e1 restringido o est\u00e1 restringido incorrectamente."
}
],
"id": "CVE-2021-22769",
"lastModified": "2024-11-21T05:50:37.887",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-11T16:15:10.730",
"references": [
{
"source": "cybersecurity@se.com",
"tags": [
"Vendor Advisory"
],
"url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-02"
}
],
"sourceIdentifier": "cybersecurity@se.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-552"
}
],
"source": "cybersecurity@se.com",
"type": "Primary"
}
]
}
GSD-2021-22769
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
A CWE-552: Files or Directories Accessible to External Parties vulnerability exists in Easergy T300 with firmware V2.7.1 and older that could expose files or directory content when access from an attacker is not restricted or incorrectly restricted.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-22769",
"description": "A CWE-552: Files or Directories Accessible to External Parties vulnerability exists in Easergy T300 with firmware V2.7.1 and older that could expose files or directory content when access from an attacker is not restricted or incorrectly restricted.",
"id": "GSD-2021-22769"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-22769"
],
"details": "A CWE-552: Files or Directories Accessible to External Parties vulnerability exists in Easergy T300 with firmware V2.7.1 and older that could expose files or directory content when access from an attacker is not restricted or incorrectly restricted.",
"id": "GSD-2021-22769",
"modified": "2023-12-13T01:23:24.871251Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@schneider-electric.com",
"ID": "CVE-2021-22769",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Easergy T300 with firmware V2.7.1 and older",
"version": {
"version_data": [
{
"version_value": "Easergy T300 with firmware V2.7.1 and older"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A CWE-552: Files or Directories Accessible to External Parties vulnerability exists in Easergy T300 with firmware V2.7.1 and older that could expose files or directory content when access from an attacker is not restricted or incorrectly restricted."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-552: Files or Directories Accessible to External Parties"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-02",
"refsource": "MISC",
"url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-02"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:schneider-electric:easergy_t300_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.7.1",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:schneider-electric:easergy_t300:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@schneider-electric.com",
"ID": "CVE-2021-22769"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "A CWE-552: Files or Directories Accessible to External Parties vulnerability exists in Easergy T300 with firmware V2.7.1 and older that could expose files or directory content when access from an attacker is not restricted or incorrectly restricted."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-552"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-02",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-02"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4
}
},
"lastModifiedDate": "2021-09-20T13:51Z",
"publishedDate": "2021-06-11T16:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…