Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2021-29240 (GCVE-0-2021-29240)
Vulnerability from cvelistv5 – Published: 2021-05-04 11:00 – Updated: 2024-08-03 22:02
VLAI?
EPSS
Summary
The Package Manager of CODESYS Development System 3 before 3.5.17.0 does not check the validity of packages before installation and may be used to install CODESYS packages with malicious content.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:51.460Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://customers.codesys.com/index.php"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.codesys.com/security/security-reports.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=14636\u0026token=1ce7e6e4cbe4651989ede418450d7c82e972bdf2\u0026download="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Package Manager of CODESYS Development System 3 before 3.5.17.0 does not check the validity of packages before installation and may be used to install CODESYS packages with malicious content."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-04T11:00:38",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://customers.codesys.com/index.php"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.codesys.com/security/security-reports.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=14636\u0026token=1ce7e6e4cbe4651989ede418450d7c82e972bdf2\u0026download="
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29240",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Package Manager of CODESYS Development System 3 before 3.5.17.0 does not check the validity of packages before installation and may be used to install CODESYS packages with malicious content."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://customers.codesys.com/index.php",
"refsource": "MISC",
"url": "https://customers.codesys.com/index.php"
},
{
"name": "https://www.codesys.com/security/security-reports.html",
"refsource": "MISC",
"url": "https://www.codesys.com/security/security-reports.html"
},
{
"name": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=14636\u0026token=1ce7e6e4cbe4651989ede418450d7c82e972bdf2\u0026download=",
"refsource": "MISC",
"url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=14636\u0026token=1ce7e6e4cbe4651989ede418450d7c82e972bdf2\u0026download="
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29240",
"datePublished": "2021-05-04T11:00:38",
"dateReserved": "2021-03-25T00:00:00",
"dateUpdated": "2024-08-03T22:02:51.460Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:codesys:development_system:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"3.0\", \"versionEndExcluding\": \"3.5.17.0\", \"matchCriteriaId\": \"4FB937AD-5DBA-4C0D-87A4-C6E141AA0A1A\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"The Package Manager of CODESYS Development System 3 before 3.5.17.0 does not check the validity of packages before installation and may be used to install CODESYS packages with malicious content.\"}, {\"lang\": \"es\", \"value\": \"El Administrador de Paquetes de CODESYS Development System 3 versiones anteriores a 3.5.17.0, no comprueba la validez de los paquetes antes de la instalaci\\u00f3n y puede ser usado para instalar paquetes CODESYS con contenido malicioso\"}]",
"id": "CVE-2021-29240",
"lastModified": "2024-11-21T06:00:51.667",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 6.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
"published": "2021-05-04T12:15:16.617",
"references": "[{\"url\": \"https://customers.codesys.com/index.php\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=14636\u0026token=1ce7e6e4cbe4651989ede418450d7c82e972bdf2\u0026download=\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"https://www.codesys.com/security/security-reports.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://customers.codesys.com/index.php\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=14636\u0026token=1ce7e6e4cbe4651989ede418450d7c82e972bdf2\u0026download=\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"https://www.codesys.com/security/security-reports.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-29240\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2021-05-04T12:15:16.617\",\"lastModified\":\"2024-11-21T06:00:51.667\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Package Manager of CODESYS Development System 3 before 3.5.17.0 does not check the validity of packages before installation and may be used to install CODESYS packages with malicious content.\"},{\"lang\":\"es\",\"value\":\"El Administrador de Paquetes de CODESYS Development System 3 versiones anteriores a 3.5.17.0, no comprueba la validez de los paquetes antes de la instalaci\u00f3n y puede ser usado para instalar paquetes CODESYS con contenido malicioso\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:codesys:development_system:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0\",\"versionEndExcluding\":\"3.5.17.0\",\"matchCriteriaId\":\"4FB937AD-5DBA-4C0D-87A4-C6E141AA0A1A\"}]}]}],\"references\":[{\"url\":\"https://customers.codesys.com/index.php\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=14636\u0026token=1ce7e6e4cbe4651989ede418450d7c82e972bdf2\u0026download=\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://www.codesys.com/security/security-reports.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://customers.codesys.com/index.php\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=14636\u0026token=1ce7e6e4cbe4651989ede418450d7c82e972bdf2\u0026download=\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://www.codesys.com/security/security-reports.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
FKIE_CVE-2021-29240
Vulnerability from fkie_nvd - Published: 2021-05-04 12:15 - Updated: 2024-11-21 06:00
Severity ?
Summary
The Package Manager of CODESYS Development System 3 before 3.5.17.0 does not check the validity of packages before installation and may be used to install CODESYS packages with malicious content.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| codesys | development_system | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:codesys:development_system:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4FB937AD-5DBA-4C0D-87A4-C6E141AA0A1A",
"versionEndExcluding": "3.5.17.0",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Package Manager of CODESYS Development System 3 before 3.5.17.0 does not check the validity of packages before installation and may be used to install CODESYS packages with malicious content."
},
{
"lang": "es",
"value": "El Administrador de Paquetes de CODESYS Development System 3 versiones anteriores a 3.5.17.0, no comprueba la validez de los paquetes antes de la instalaci\u00f3n y puede ser usado para instalar paquetes CODESYS con contenido malicioso"
}
],
"id": "CVE-2021-29240",
"lastModified": "2024-11-21T06:00:51.667",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-04T12:15:16.617",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://customers.codesys.com/index.php"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=14636\u0026token=1ce7e6e4cbe4651989ede418450d7c82e972bdf2\u0026download="
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.codesys.com/security/security-reports.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://customers.codesys.com/index.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=14636\u0026token=1ce7e6e4cbe4651989ede418450d7c82e972bdf2\u0026download="
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.codesys.com/security/security-reports.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CERTFR-2022-AVI-628
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Schneider Electric. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Schneider Electric | N/A | SpaceLogic C-Bus Home Controller (5200WHC2), C-Bus Wiser Homer Controller MK2 versions antérieures à 4.14.0 (PICED_V4.14.0 Programming Interface for C-Bus Embedded Devices version V4.14.0) | ||
| Schneider Electric | N/A | X80 advanced RTU Communication Module (BMENOR2200H) versions antérieures à 2.01 | ||
| Schneider Electric | N/A | IGSS Data Server versions antérieures à 15.0.0.22074 | ||
| Schneider Electric | N/A | SCADAPack RemoteConnect for x70 versions antérieures à R2.7.3 | ||
| Schneider Electric | N/A | Micrologiciels Easergy P5 versions antérieures à 01.401.102 | ||
| Schneider Electric | N/A | Acti9 PowerTag Link C (A9XELC10-B) versions antérieures à 2.14.0 | ||
| Schneider Electric | N/A | OPC UA Modicon Communication Module (BMENUA0100) versions 1.10 et antérieures | ||
| Schneider Electric | N/A | Acti9 PowerTag Link C (A9XELC10-A) versions antérieures à 2.14.0 | ||
| Schneider Electric | N/A | EcoStruxure Machine Expert versions antérieures à 2.0.3 | ||
| Schneider Electric | N/A | Micrologiciels Smart-UPS SCL, SRT, SRC, & XU Series versions antérieures à 15.0 |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "SpaceLogic C-Bus Home Controller (5200WHC2), C-Bus Wiser Homer Controller MK2 versions ant\u00e9rieures \u00e0 4.14.0 (PICED_V4.14.0 Programming Interface for C-Bus Embedded Devices version V4.14.0)",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "X80 advanced RTU Communication Module (BMENOR2200H) versions ant\u00e9rieures \u00e0 2.01",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "IGSS Data Server versions ant\u00e9rieures \u00e0 15.0.0.22074",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "SCADAPack RemoteConnect for x70 versions ant\u00e9rieures \u00e0 R2.7.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "Micrologiciels Easergy P5 versions ant\u00e9rieures \u00e0 01.401.102",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "Acti9 PowerTag Link C (A9XELC10-B) versions ant\u00e9rieures \u00e0 2.14.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "OPC UA Modicon Communication Module (BMENUA0100) versions 1.10 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "Acti9 PowerTag Link C (A9XELC10-A) versions ant\u00e9rieures \u00e0 2.14.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "EcoStruxure Machine Expert versions ant\u00e9rieures \u00e0 2.0.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "Micrologiciels Smart-UPS SCL, SRT, SRC, \u0026 XU Series versions ant\u00e9rieures \u00e0 15.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-2329",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2329"
},
{
"name": "CVE-2021-21814",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21814"
},
{
"name": "CVE-2021-21869",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21869"
},
{
"name": "CVE-2022-34760",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34760"
},
{
"name": "CVE-2021-21830",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21830"
},
{
"name": "CVE-2021-21866",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21866"
},
{
"name": "CVE-2021-22797",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22797"
},
{
"name": "CVE-2022-34753",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34753"
},
{
"name": "CVE-2022-34762",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34762"
},
{
"name": "CVE-2022-34758",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34758"
},
{
"name": "CVE-2021-22779",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22779"
},
{
"name": "CVE-2021-22781",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22781"
},
{
"name": "CVE-2021-22780",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22780"
},
{
"name": "CVE-2021-21828",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21828"
},
{
"name": "CVE-2021-21810",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21810"
},
{
"name": "CVE-2021-21813",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21813"
},
{
"name": "CVE-2022-34761",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34761"
},
{
"name": "CVE-2022-22806",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22806"
},
{
"name": "CVE-2021-21825",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21825"
},
{
"name": "CVE-2022-34759",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34759"
},
{
"name": "CVE-2022-34757",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34757"
},
{
"name": "CVE-2021-21829",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21829"
},
{
"name": "CVE-2021-21863",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21863"
},
{
"name": "CVE-2022-34754",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34754"
},
{
"name": "CVE-2021-22782",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22782"
},
{
"name": "CVE-2021-22778",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22778"
},
{
"name": "CVE-2022-34764",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34764"
},
{
"name": "CVE-2022-0715",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0715"
},
{
"name": "CVE-2021-21865",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21865"
},
{
"name": "CVE-2022-34763",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34763"
},
{
"name": "CVE-2021-21867",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21867"
},
{
"name": "CVE-2022-34756",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34756"
},
{
"name": "CVE-2021-21826",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21826"
},
{
"name": "CVE-2021-21812",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21812"
},
{
"name": "CVE-2021-21827",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21827"
},
{
"name": "CVE-2022-22805",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22805"
},
{
"name": "CVE-2022-26507",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-26507"
},
{
"name": "CVE-2021-29241",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29241"
},
{
"name": "CVE-2022-34765",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34765"
},
{
"name": "CVE-2021-21815",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21815"
},
{
"name": "CVE-2021-21811",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21811"
},
{
"name": "CVE-2020-12525",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-12525"
},
{
"name": "CVE-2021-29240",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29240"
},
{
"name": "CVE-2021-21864",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21864"
},
{
"name": "CVE-2022-24324",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24324"
},
{
"name": "CVE-2021-21868",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21868"
},
{
"name": "CVE-2021-33485",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33485"
}
],
"links": [],
"reference": "CERTFR-2022-AVI-628",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-07-12T00:00:00.000000"
},
{
"description": "Mise \u00e0 jour des liens",
"revision_date": "2022-08-22T00:00:00.000000"
},
{
"description": "Mise \u00e0 jour des liens",
"revision_date": "2022-08-22T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSchneider Electric. Certaines d\u0027entre elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de\nservice \u00e0 distance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Schneider Electric",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-194-01 du 12 juillet 2022",
"url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2021-194-01_EcoStruxure_Control_Expert_Process_Expert_SCADAPack_RemoteConnect_Modicon_M580_M340_V4.0.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2022-193-02 du 12 juillet 2022",
"url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-193-02_SpaceLogic-C-Bus-Home-Controller-Wiser_MK2_Security_Notification.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2022-193-01 du 12 juillet 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-193-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-193-01_OPC_UA_X80_Advanced_RTU_Modicon_Communication_Modules_Security_Notification_V3.0.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2022-193-03 du 12 juillet 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-193-03\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-193-03_Acti9_PowerTag_Link_C_Security_Notification.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2022-011-06 du 12 juillet 2022",
"url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-011-06_CODESYSV3_Runtime_Development_System_and_Gateway_Security_Notification.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-257-01 du 12 juillet 2022",
"url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2021-257-01_EcoStruxure_Control_Expert_EcoStruxure_Process_Expert_SCADAPack_Security_Notification_V3.0.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2022-067-02 du 12 juillet 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-067-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-067-02_APC-Smart-UPS_Security_Notification_V6.0.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2022-102-01 du 12 juillet 2022",
"url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-102-01_IGSS_Security_Notification_V2.0.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2022-193-04 du 12 juillet 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-193-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-193-04_Easergy_P5_Security_Notification.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-222-02 du 12 juillet 2022",
"url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2021-222-02_AT%26T_Labs-XMILX_DEMILL_Eco_Struxure_Control_ExpertEco_Struxure_Process_Expert_SCADA_Pack_RemoteConnect_x70_Security_Notification_V4.0.pdf"
}
]
}
CERTFR-2022-AVI-017
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Schneider. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| N/A | N/A | Easergy P5, versions antérieures à 01.401.101, se référer aux informations fournies par l'éditeur pour appliquer les mesures de contournement | ||
| N/A | N/A | ConneXium Tofino Firewall TCSEFEA23F3F20 et 21, toutes versions. Ces produits ne sont plus maintenus par l'éditeur qui incite fortement à mettre à jour vers la gamme TCSEFA23F3F22 | ||
| Schneider Electric | N/A | ConneXium Tofino OPC-LSM TCSEFM0000, versions antérieures à 03.23 | ||
| N/A | N/A | CODESYS V3, vérifier l'avis SEVD-2022-011-06 pour identifier les périphériques utilisant ce système d'exploitation et appliquer les mesures de contournement suggérées par l'éditeur | ||
| N/A | N/A | Easergy T300, versions antérieures à 2.7.1 | ||
| Schneider Electric | N/A | Easergy P3, versions antérieures à 30.205, se référer aux informations fournies par l'éditeur pour appliquer les mesures de contournement | ||
| Schneider Electric | N/A | EcoStruxure Power Monitoring Expert 2020, versions antérieures à 2020 CU3 sans le composant Floating License Manager 2.7 | ||
| Schneider Electric | N/A | ConneXium Tofino Firewall TCSEFEA23F3F22, versions antérieures à 03.23 | ||
| Schneider Electric | Modicon M340 | Modicon M340 Quantum et Premium Quantum CPUs, vérifier l'avis SEVD-2022-011-01 pour identifier les autres systèmes Modicon vulnérables et appliquer les mesures de contournement suggérées par l'éditeur | ||
| Schneider Electric | N/A | EcoStruxure Power Monitoring Expert 9.0, toutes versions. Ces produits ne sont plus maintenus par l'éditeur qui incite fortement à mettre à jour vers la gamme Power Monitoring Expert 2021 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Easergy P5, versions ant\u00e9rieures \u00e0 01.401.101, se r\u00e9f\u00e9rer aux informations fournies par l\u0027\u00e9diteur pour appliquer les mesures de contournement",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "ConneXium Tofino Firewall TCSEFEA23F3F20 et 21, toutes versions. Ces produits ne sont plus maintenus par l\u0027\u00e9diteur qui incite fortement \u00e0 mettre \u00e0 jour vers la gamme TCSEFA23F3F22",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "ConneXium Tofino OPC-LSM TCSEFM0000, versions ant\u00e9rieures \u00e0 03.23",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "CODESYS V3, v\u00e9rifier l\u0027avis SEVD-2022-011-06 pour identifier les p\u00e9riph\u00e9riques utilisant ce syst\u00e8me d\u0027exploitation et appliquer les mesures de contournement sugg\u00e9r\u00e9es par l\u0027\u00e9diteur",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "Easergy T300, versions ant\u00e9rieures \u00e0 2.7.1",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "Easergy P3, versions ant\u00e9rieures \u00e0 30.205, se r\u00e9f\u00e9rer aux informations fournies par l\u0027\u00e9diteur pour appliquer les mesures de contournement",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "EcoStruxure Power Monitoring Expert 2020, versions ant\u00e9rieures \u00e0 2020 CU3 sans le composant Floating License Manager 2.7",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "ConneXium Tofino Firewall TCSEFEA23F3F22, versions ant\u00e9rieures \u00e0 03.23",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "Modicon M340 Quantum et Premium Quantum CPUs, v\u00e9rifier l\u0027avis SEVD-2022-011-01 pour identifier les autres syst\u00e8mes Modicon vuln\u00e9rables et appliquer les mesures de contournement sugg\u00e9r\u00e9es par l\u0027\u00e9diteur",
"product": {
"name": "Modicon M340",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "EcoStruxure Power Monitoring Expert 9.0, toutes versions. Ces produits ne sont plus maintenus par l\u0027\u00e9diteur qui incite fortement \u00e0 mettre \u00e0 jour vers la gamme Power Monitoring Expert 2021",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-22723",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22723"
},
{
"name": "CVE-2021-21869",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21869"
},
{
"name": "CVE-2021-21866",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21866"
},
{
"name": "CVE-2021-30066",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-30066"
},
{
"name": "CVE-2021-30064",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-30064"
},
{
"name": "CVE-2022-22724",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22724"
},
{
"name": "CVE-2019-8963",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8963"
},
{
"name": "CVE-2021-30063",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-30063"
},
{
"name": "CVE-2021-30061",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-30061"
},
{
"name": "CVE-2021-21863",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21863"
},
{
"name": "CVE-2022-22722",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22722"
},
{
"name": "CVE-2021-21865",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21865"
},
{
"name": "CVE-2020-7534",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7534"
},
{
"name": "CVE-2021-21867",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21867"
},
{
"name": "CVE-2022-22804",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22804"
},
{
"name": "CVE-2021-30062",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-30062"
},
{
"name": "CVE-2022-22726",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22726"
},
{
"name": "CVE-2022-22725",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22725"
},
{
"name": "CVE-2021-29241",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29241"
},
{
"name": "CVE-2020-8597",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8597"
},
{
"name": "CVE-2021-29240",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29240"
},
{
"name": "CVE-2022-22727",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22727"
},
{
"name": "CVE-2021-21864",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21864"
},
{
"name": "CVE-2021-21868",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21868"
},
{
"name": "CVE-2021-30065",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-30065"
},
{
"name": "CVE-2021-33485",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33485"
}
],
"links": [],
"reference": "CERTFR-2022-AVI-017",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-01-11T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSchneider. Certaines d\u0027entre elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire, un d\u00e9ni de service \u00e0\ndistance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Schneider",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-011-07 du 11 janvier 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-07"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-011-03 du 11 janvier 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-03"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-011-04 du 11 janvier 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-04"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-011-01 du 11 janvier 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-01"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-011-02 du 11 janvier 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-02"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-011-05 du 11 janvier 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-05"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-011-06 du 11 janvier 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-06"
}
]
}
CERTFR-2022-AVI-123
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Schneider. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
IGSS Data Server versions antérieures à V15.0.0.22021
EcoStruxure EV Charging Expert versions antérieures à V4.0.0.13 SP8 (Version 01)
Easergy P40 Series model numbers avec option Ethernet (produit ayant le code Q, R, S)
spaceLYnk versions antérieures à 2.7.0
Wiser for KNX product versions antérieures à 2.7.0
fellerLYnk product versions antérieures à 2.7.0
EcoStruxure Geo SCADA Expert versions antérieures à 2021
ClearSCADA versions antérieures à 2017 R3 August 2021 Monthly Update.
Harmony/Magelis iPC Series sans le correctif fourni avec Vijeo Designer version V6.2 SP11 Multi HotFix 4
Vijeo Designer versions antérieures à V6.2 SP11 Multi HotFix 4
Vijeo Designer Basic versions antérieures à v1.2.1
M241/M251 toutes versions
EcoStruxure Machine Expert toutes versions
Harmony/Magelis modèles HMISTU, HMIGTO, HMIGTU, HMIGTUX, HMIGK, HMISCU
Eurotherm E+PLC100 toutes versions
Eurotherm E+PLC400 toutes versions
Eurotherm E+PLC tools toutes versions
Easy Harmony ET6 (HMIET) sans le correctif fourni avec Vijeo Designer Basic version V1.2.1
Easy Harmony GXU (HMIGXU) sans le correctif fourni avec Vijeo Designer Basic version V1.2.1
Harmony/ Magelis modèles HMIGTU, HMIGTUX, HMIGK sans le correctif fourni avec Vijeo Designer version V6.2 SP11 Multi HotFix 4
Modicon M241/M251 Logic Controllers versions antérieures à V5.1.9.34
Modicon M262 Logic Controllers versions antérieures à V5.1.6.1
Easergy MiCOM P30 versions 660 -674
Easergy MiCOM P40 toutes versions
Impacted products
| Vendor | Product | Description |
|---|
References
| Title | Publication Time | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [],
"affected_systems_content": "\u003cp\u003eIGSS Data Server versions ant\u00e9rieures \u00e0 V15.0.0.22021\u003cbr /\u003e EcoStruxure EV Charging Expert versions ant\u00e9rieures \u00e0 V4.0.0.13 SP8 (Version 01)\u003cbr /\u003e Easergy P40 Series model numbers avec option Ethernet (produit ayant le code Q, R, S)\u003cbr /\u003e spaceLYnk versions ant\u00e9rieures \u00e0 2.7.0\u003cbr /\u003e Wiser for KNX product versions ant\u00e9rieures \u00e0 2.7.0\u003cbr /\u003e fellerLYnk product versions ant\u00e9rieures \u00e0 2.7.0\u003cbr /\u003e EcoStruxure Geo SCADA Expert versions ant\u00e9rieures \u00e0 2021\u003cbr /\u003e ClearSCADA versions ant\u00e9rieures \u00e0 2017 R3 August 2021 Monthly Update.\u003cbr /\u003e Harmony/Magelis iPC Series sans le correctif fourni avec Vijeo Designer version V6.2 SP11 Multi HotFix 4\u003cbr /\u003e Vijeo Designer versions ant\u00e9rieures \u00e0 V6.2 SP11 Multi HotFix 4\u003cbr /\u003e Vijeo Designer Basic versions ant\u00e9rieures \u00e0 v1.2.1\u003cbr /\u003e M241/M251 toutes versions\u003cbr /\u003e EcoStruxure Machine Expert toutes versions\u003cbr /\u003e Harmony/Magelis mod\u00e8les HMISTU, HMIGTO, HMIGTU, HMIGTUX, HMIGK, HMISCU\u003cbr /\u003e Eurotherm E+PLC100 toutes versions\u003cbr /\u003e Eurotherm E+PLC400 toutes versions\u003cbr /\u003e Eurotherm E+PLC tools toutes versions\u003cbr /\u003e Easy Harmony ET6 (HMIET) sans le correctif fourni avec Vijeo Designer Basic version V1.2.1\u003cbr /\u003e Easy Harmony GXU (HMIGXU) sans le correctif fourni avec Vijeo Designer Basic version V1.2.1\u003cbr /\u003e Harmony/ Magelis mod\u00e8les HMIGTU, HMIGTUX, HMIGK sans le correctif fourni avec Vijeo Designer version V6.2 SP11 Multi HotFix 4\u003cbr /\u003e Modicon M241/M251 Logic Controllers versions ant\u00e9rieures \u00e0 V5.1.9.34\u003cbr /\u003e Modicon M262 Logic Controllers versions ant\u00e9rieures \u00e0 V5.1.6.1\u003cbr /\u003e Easergy MiCOM P30 versions 660 -674\u003cbr /\u003e Easergy MiCOM P40 toutes versions\u003c/p\u003e ",
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2021-22817",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22817"
},
{
"name": "CVE-2022-22812",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22812"
},
{
"name": "CVE-2022-24312",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24312"
},
{
"name": "CVE-2020-35198",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-35198"
},
{
"name": "CVE-2022-24316",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24316"
},
{
"name": "CVE-2022-24314",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24314"
},
{
"name": "CVE-2022-24320",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24320"
},
{
"name": "CVE-2022-22811",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22811"
},
{
"name": "CVE-2022-24321",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24321"
},
{
"name": "CVE-2022-22810",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22810"
},
{
"name": "CVE-2022-24310",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24310"
},
{
"name": "CVE-2022-24311",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24311"
},
{
"name": "CVE-2022-24318",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24318"
},
{
"name": "CVE-2022-22813",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22813"
},
{
"name": "CVE-2022-24313",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24313"
},
{
"name": "CVE-2022-24319",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24319"
},
{
"name": "CVE-2022-24315",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24315"
},
{
"name": "CVE-2022-22809",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22809"
},
{
"name": "CVE-2022-22808",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22808"
},
{
"name": "CVE-2020-28895",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28895"
},
{
"name": "CVE-2022-24317",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24317"
},
{
"name": "CVE-2021-29240",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29240"
},
{
"name": "CVE-2022-22807",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22807"
}
],
"links": [],
"reference": "CERTFR-2022-AVI-123",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-02-09T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSchneider. Elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de\ncode arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une\natteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Schneider",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-039-01 du 08 f\u00e9vrier 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-01"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-039-04 du 08 f\u00e9vrier 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-04"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-313-05 du 09 novembre 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-313-05"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-039-05 du 08 f\u00e9vrier 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-05"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-039-03 du 08 f\u00e9vrier 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-03"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-039-06 du 08 f\u00e9vrier 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-06"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-039-02 du 08 f\u00e9vrier 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-02"
}
]
}
CERTFR-2022-AVI-123
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Schneider. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
IGSS Data Server versions antérieures à V15.0.0.22021
EcoStruxure EV Charging Expert versions antérieures à V4.0.0.13 SP8 (Version 01)
Easergy P40 Series model numbers avec option Ethernet (produit ayant le code Q, R, S)
spaceLYnk versions antérieures à 2.7.0
Wiser for KNX product versions antérieures à 2.7.0
fellerLYnk product versions antérieures à 2.7.0
EcoStruxure Geo SCADA Expert versions antérieures à 2021
ClearSCADA versions antérieures à 2017 R3 August 2021 Monthly Update.
Harmony/Magelis iPC Series sans le correctif fourni avec Vijeo Designer version V6.2 SP11 Multi HotFix 4
Vijeo Designer versions antérieures à V6.2 SP11 Multi HotFix 4
Vijeo Designer Basic versions antérieures à v1.2.1
M241/M251 toutes versions
EcoStruxure Machine Expert toutes versions
Harmony/Magelis modèles HMISTU, HMIGTO, HMIGTU, HMIGTUX, HMIGK, HMISCU
Eurotherm E+PLC100 toutes versions
Eurotherm E+PLC400 toutes versions
Eurotherm E+PLC tools toutes versions
Easy Harmony ET6 (HMIET) sans le correctif fourni avec Vijeo Designer Basic version V1.2.1
Easy Harmony GXU (HMIGXU) sans le correctif fourni avec Vijeo Designer Basic version V1.2.1
Harmony/ Magelis modèles HMIGTU, HMIGTUX, HMIGK sans le correctif fourni avec Vijeo Designer version V6.2 SP11 Multi HotFix 4
Modicon M241/M251 Logic Controllers versions antérieures à V5.1.9.34
Modicon M262 Logic Controllers versions antérieures à V5.1.6.1
Easergy MiCOM P30 versions 660 -674
Easergy MiCOM P40 toutes versions
Impacted products
| Vendor | Product | Description |
|---|
References
| Title | Publication Time | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [],
"affected_systems_content": "\u003cp\u003eIGSS Data Server versions ant\u00e9rieures \u00e0 V15.0.0.22021\u003cbr /\u003e EcoStruxure EV Charging Expert versions ant\u00e9rieures \u00e0 V4.0.0.13 SP8 (Version 01)\u003cbr /\u003e Easergy P40 Series model numbers avec option Ethernet (produit ayant le code Q, R, S)\u003cbr /\u003e spaceLYnk versions ant\u00e9rieures \u00e0 2.7.0\u003cbr /\u003e Wiser for KNX product versions ant\u00e9rieures \u00e0 2.7.0\u003cbr /\u003e fellerLYnk product versions ant\u00e9rieures \u00e0 2.7.0\u003cbr /\u003e EcoStruxure Geo SCADA Expert versions ant\u00e9rieures \u00e0 2021\u003cbr /\u003e ClearSCADA versions ant\u00e9rieures \u00e0 2017 R3 August 2021 Monthly Update.\u003cbr /\u003e Harmony/Magelis iPC Series sans le correctif fourni avec Vijeo Designer version V6.2 SP11 Multi HotFix 4\u003cbr /\u003e Vijeo Designer versions ant\u00e9rieures \u00e0 V6.2 SP11 Multi HotFix 4\u003cbr /\u003e Vijeo Designer Basic versions ant\u00e9rieures \u00e0 v1.2.1\u003cbr /\u003e M241/M251 toutes versions\u003cbr /\u003e EcoStruxure Machine Expert toutes versions\u003cbr /\u003e Harmony/Magelis mod\u00e8les HMISTU, HMIGTO, HMIGTU, HMIGTUX, HMIGK, HMISCU\u003cbr /\u003e Eurotherm E+PLC100 toutes versions\u003cbr /\u003e Eurotherm E+PLC400 toutes versions\u003cbr /\u003e Eurotherm E+PLC tools toutes versions\u003cbr /\u003e Easy Harmony ET6 (HMIET) sans le correctif fourni avec Vijeo Designer Basic version V1.2.1\u003cbr /\u003e Easy Harmony GXU (HMIGXU) sans le correctif fourni avec Vijeo Designer Basic version V1.2.1\u003cbr /\u003e Harmony/ Magelis mod\u00e8les HMIGTU, HMIGTUX, HMIGK sans le correctif fourni avec Vijeo Designer version V6.2 SP11 Multi HotFix 4\u003cbr /\u003e Modicon M241/M251 Logic Controllers versions ant\u00e9rieures \u00e0 V5.1.9.34\u003cbr /\u003e Modicon M262 Logic Controllers versions ant\u00e9rieures \u00e0 V5.1.6.1\u003cbr /\u003e Easergy MiCOM P30 versions 660 -674\u003cbr /\u003e Easergy MiCOM P40 toutes versions\u003c/p\u003e ",
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2021-22817",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22817"
},
{
"name": "CVE-2022-22812",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22812"
},
{
"name": "CVE-2022-24312",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24312"
},
{
"name": "CVE-2020-35198",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-35198"
},
{
"name": "CVE-2022-24316",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24316"
},
{
"name": "CVE-2022-24314",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24314"
},
{
"name": "CVE-2022-24320",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24320"
},
{
"name": "CVE-2022-22811",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22811"
},
{
"name": "CVE-2022-24321",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24321"
},
{
"name": "CVE-2022-22810",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22810"
},
{
"name": "CVE-2022-24310",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24310"
},
{
"name": "CVE-2022-24311",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24311"
},
{
"name": "CVE-2022-24318",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24318"
},
{
"name": "CVE-2022-22813",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22813"
},
{
"name": "CVE-2022-24313",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24313"
},
{
"name": "CVE-2022-24319",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24319"
},
{
"name": "CVE-2022-24315",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24315"
},
{
"name": "CVE-2022-22809",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22809"
},
{
"name": "CVE-2022-22808",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22808"
},
{
"name": "CVE-2020-28895",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28895"
},
{
"name": "CVE-2022-24317",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24317"
},
{
"name": "CVE-2021-29240",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29240"
},
{
"name": "CVE-2022-22807",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22807"
}
],
"links": [],
"reference": "CERTFR-2022-AVI-123",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-02-09T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSchneider. Elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de\ncode arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une\natteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Schneider",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-039-01 du 08 f\u00e9vrier 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-01"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-039-04 du 08 f\u00e9vrier 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-04"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2021-313-05 du 09 novembre 2021",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-313-05"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-039-05 du 08 f\u00e9vrier 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-05"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-039-03 du 08 f\u00e9vrier 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-03"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-039-06 du 08 f\u00e9vrier 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-06"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-039-02 du 08 f\u00e9vrier 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-02"
}
]
}
CERTFR-2022-AVI-017
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Schneider. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| N/A | N/A | Easergy P5, versions antérieures à 01.401.101, se référer aux informations fournies par l'éditeur pour appliquer les mesures de contournement | ||
| N/A | N/A | ConneXium Tofino Firewall TCSEFEA23F3F20 et 21, toutes versions. Ces produits ne sont plus maintenus par l'éditeur qui incite fortement à mettre à jour vers la gamme TCSEFA23F3F22 | ||
| Schneider Electric | N/A | ConneXium Tofino OPC-LSM TCSEFM0000, versions antérieures à 03.23 | ||
| N/A | N/A | CODESYS V3, vérifier l'avis SEVD-2022-011-06 pour identifier les périphériques utilisant ce système d'exploitation et appliquer les mesures de contournement suggérées par l'éditeur | ||
| N/A | N/A | Easergy T300, versions antérieures à 2.7.1 | ||
| Schneider Electric | N/A | Easergy P3, versions antérieures à 30.205, se référer aux informations fournies par l'éditeur pour appliquer les mesures de contournement | ||
| Schneider Electric | N/A | EcoStruxure Power Monitoring Expert 2020, versions antérieures à 2020 CU3 sans le composant Floating License Manager 2.7 | ||
| Schneider Electric | N/A | ConneXium Tofino Firewall TCSEFEA23F3F22, versions antérieures à 03.23 | ||
| Schneider Electric | Modicon M340 | Modicon M340 Quantum et Premium Quantum CPUs, vérifier l'avis SEVD-2022-011-01 pour identifier les autres systèmes Modicon vulnérables et appliquer les mesures de contournement suggérées par l'éditeur | ||
| Schneider Electric | N/A | EcoStruxure Power Monitoring Expert 9.0, toutes versions. Ces produits ne sont plus maintenus par l'éditeur qui incite fortement à mettre à jour vers la gamme Power Monitoring Expert 2021 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Easergy P5, versions ant\u00e9rieures \u00e0 01.401.101, se r\u00e9f\u00e9rer aux informations fournies par l\u0027\u00e9diteur pour appliquer les mesures de contournement",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "ConneXium Tofino Firewall TCSEFEA23F3F20 et 21, toutes versions. Ces produits ne sont plus maintenus par l\u0027\u00e9diteur qui incite fortement \u00e0 mettre \u00e0 jour vers la gamme TCSEFA23F3F22",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "ConneXium Tofino OPC-LSM TCSEFM0000, versions ant\u00e9rieures \u00e0 03.23",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "CODESYS V3, v\u00e9rifier l\u0027avis SEVD-2022-011-06 pour identifier les p\u00e9riph\u00e9riques utilisant ce syst\u00e8me d\u0027exploitation et appliquer les mesures de contournement sugg\u00e9r\u00e9es par l\u0027\u00e9diteur",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "Easergy T300, versions ant\u00e9rieures \u00e0 2.7.1",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "Easergy P3, versions ant\u00e9rieures \u00e0 30.205, se r\u00e9f\u00e9rer aux informations fournies par l\u0027\u00e9diteur pour appliquer les mesures de contournement",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "EcoStruxure Power Monitoring Expert 2020, versions ant\u00e9rieures \u00e0 2020 CU3 sans le composant Floating License Manager 2.7",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "ConneXium Tofino Firewall TCSEFEA23F3F22, versions ant\u00e9rieures \u00e0 03.23",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "Modicon M340 Quantum et Premium Quantum CPUs, v\u00e9rifier l\u0027avis SEVD-2022-011-01 pour identifier les autres syst\u00e8mes Modicon vuln\u00e9rables et appliquer les mesures de contournement sugg\u00e9r\u00e9es par l\u0027\u00e9diteur",
"product": {
"name": "Modicon M340",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "EcoStruxure Power Monitoring Expert 9.0, toutes versions. Ces produits ne sont plus maintenus par l\u0027\u00e9diteur qui incite fortement \u00e0 mettre \u00e0 jour vers la gamme Power Monitoring Expert 2021",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-22723",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22723"
},
{
"name": "CVE-2021-21869",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21869"
},
{
"name": "CVE-2021-21866",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21866"
},
{
"name": "CVE-2021-30066",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-30066"
},
{
"name": "CVE-2021-30064",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-30064"
},
{
"name": "CVE-2022-22724",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22724"
},
{
"name": "CVE-2019-8963",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8963"
},
{
"name": "CVE-2021-30063",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-30063"
},
{
"name": "CVE-2021-30061",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-30061"
},
{
"name": "CVE-2021-21863",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21863"
},
{
"name": "CVE-2022-22722",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22722"
},
{
"name": "CVE-2021-21865",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21865"
},
{
"name": "CVE-2020-7534",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7534"
},
{
"name": "CVE-2021-21867",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21867"
},
{
"name": "CVE-2022-22804",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22804"
},
{
"name": "CVE-2021-30062",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-30062"
},
{
"name": "CVE-2022-22726",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22726"
},
{
"name": "CVE-2022-22725",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22725"
},
{
"name": "CVE-2021-29241",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29241"
},
{
"name": "CVE-2020-8597",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8597"
},
{
"name": "CVE-2021-29240",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29240"
},
{
"name": "CVE-2022-22727",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22727"
},
{
"name": "CVE-2021-21864",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21864"
},
{
"name": "CVE-2021-21868",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21868"
},
{
"name": "CVE-2021-30065",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-30065"
},
{
"name": "CVE-2021-33485",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33485"
}
],
"links": [],
"reference": "CERTFR-2022-AVI-017",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-01-11T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSchneider. Certaines d\u0027entre elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire, un d\u00e9ni de service \u00e0\ndistance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Schneider",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-011-07 du 11 janvier 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-07"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-011-03 du 11 janvier 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-03"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-011-04 du 11 janvier 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-04"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-011-01 du 11 janvier 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-01"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-011-02 du 11 janvier 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-02"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-011-05 du 11 janvier 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-05"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2022-011-06 du 11 janvier 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-06"
}
]
}
CERTFR-2022-AVI-628
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Schneider Electric. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Schneider Electric | N/A | SpaceLogic C-Bus Home Controller (5200WHC2), C-Bus Wiser Homer Controller MK2 versions antérieures à 4.14.0 (PICED_V4.14.0 Programming Interface for C-Bus Embedded Devices version V4.14.0) | ||
| Schneider Electric | N/A | X80 advanced RTU Communication Module (BMENOR2200H) versions antérieures à 2.01 | ||
| Schneider Electric | N/A | IGSS Data Server versions antérieures à 15.0.0.22074 | ||
| Schneider Electric | N/A | SCADAPack RemoteConnect for x70 versions antérieures à R2.7.3 | ||
| Schneider Electric | N/A | Micrologiciels Easergy P5 versions antérieures à 01.401.102 | ||
| Schneider Electric | N/A | Acti9 PowerTag Link C (A9XELC10-B) versions antérieures à 2.14.0 | ||
| Schneider Electric | N/A | OPC UA Modicon Communication Module (BMENUA0100) versions 1.10 et antérieures | ||
| Schneider Electric | N/A | Acti9 PowerTag Link C (A9XELC10-A) versions antérieures à 2.14.0 | ||
| Schneider Electric | N/A | EcoStruxure Machine Expert versions antérieures à 2.0.3 | ||
| Schneider Electric | N/A | Micrologiciels Smart-UPS SCL, SRT, SRC, & XU Series versions antérieures à 15.0 |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "SpaceLogic C-Bus Home Controller (5200WHC2), C-Bus Wiser Homer Controller MK2 versions ant\u00e9rieures \u00e0 4.14.0 (PICED_V4.14.0 Programming Interface for C-Bus Embedded Devices version V4.14.0)",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "X80 advanced RTU Communication Module (BMENOR2200H) versions ant\u00e9rieures \u00e0 2.01",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "IGSS Data Server versions ant\u00e9rieures \u00e0 15.0.0.22074",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "SCADAPack RemoteConnect for x70 versions ant\u00e9rieures \u00e0 R2.7.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "Micrologiciels Easergy P5 versions ant\u00e9rieures \u00e0 01.401.102",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "Acti9 PowerTag Link C (A9XELC10-B) versions ant\u00e9rieures \u00e0 2.14.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "OPC UA Modicon Communication Module (BMENUA0100) versions 1.10 et ant\u00e9rieures",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "Acti9 PowerTag Link C (A9XELC10-A) versions ant\u00e9rieures \u00e0 2.14.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "EcoStruxure Machine Expert versions ant\u00e9rieures \u00e0 2.0.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "Micrologiciels Smart-UPS SCL, SRT, SRC, \u0026 XU Series versions ant\u00e9rieures \u00e0 15.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-2329",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2329"
},
{
"name": "CVE-2021-21814",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21814"
},
{
"name": "CVE-2021-21869",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21869"
},
{
"name": "CVE-2022-34760",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34760"
},
{
"name": "CVE-2021-21830",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21830"
},
{
"name": "CVE-2021-21866",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21866"
},
{
"name": "CVE-2021-22797",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22797"
},
{
"name": "CVE-2022-34753",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34753"
},
{
"name": "CVE-2022-34762",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34762"
},
{
"name": "CVE-2022-34758",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34758"
},
{
"name": "CVE-2021-22779",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22779"
},
{
"name": "CVE-2021-22781",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22781"
},
{
"name": "CVE-2021-22780",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22780"
},
{
"name": "CVE-2021-21828",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21828"
},
{
"name": "CVE-2021-21810",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21810"
},
{
"name": "CVE-2021-21813",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21813"
},
{
"name": "CVE-2022-34761",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34761"
},
{
"name": "CVE-2022-22806",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22806"
},
{
"name": "CVE-2021-21825",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21825"
},
{
"name": "CVE-2022-34759",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34759"
},
{
"name": "CVE-2022-34757",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34757"
},
{
"name": "CVE-2021-21829",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21829"
},
{
"name": "CVE-2021-21863",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21863"
},
{
"name": "CVE-2022-34754",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34754"
},
{
"name": "CVE-2021-22782",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22782"
},
{
"name": "CVE-2021-22778",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22778"
},
{
"name": "CVE-2022-34764",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34764"
},
{
"name": "CVE-2022-0715",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0715"
},
{
"name": "CVE-2021-21865",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21865"
},
{
"name": "CVE-2022-34763",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34763"
},
{
"name": "CVE-2021-21867",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21867"
},
{
"name": "CVE-2022-34756",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34756"
},
{
"name": "CVE-2021-21826",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21826"
},
{
"name": "CVE-2021-21812",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21812"
},
{
"name": "CVE-2021-21827",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21827"
},
{
"name": "CVE-2022-22805",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22805"
},
{
"name": "CVE-2022-26507",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-26507"
},
{
"name": "CVE-2021-29241",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29241"
},
{
"name": "CVE-2022-34765",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34765"
},
{
"name": "CVE-2021-21815",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21815"
},
{
"name": "CVE-2021-21811",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21811"
},
{
"name": "CVE-2020-12525",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-12525"
},
{
"name": "CVE-2021-29240",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29240"
},
{
"name": "CVE-2021-21864",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21864"
},
{
"name": "CVE-2022-24324",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24324"
},
{
"name": "CVE-2021-21868",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21868"
},
{
"name": "CVE-2021-33485",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33485"
}
],
"links": [],
"reference": "CERTFR-2022-AVI-628",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-07-12T00:00:00.000000"
},
{
"description": "Mise \u00e0 jour des liens",
"revision_date": "2022-08-22T00:00:00.000000"
},
{
"description": "Mise \u00e0 jour des liens",
"revision_date": "2022-08-22T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSchneider Electric. Certaines d\u0027entre elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de\nservice \u00e0 distance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Schneider Electric",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-194-01 du 12 juillet 2022",
"url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2021-194-01_EcoStruxure_Control_Expert_Process_Expert_SCADAPack_RemoteConnect_Modicon_M580_M340_V4.0.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2022-193-02 du 12 juillet 2022",
"url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-193-02_SpaceLogic-C-Bus-Home-Controller-Wiser_MK2_Security_Notification.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2022-193-01 du 12 juillet 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-193-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-193-01_OPC_UA_X80_Advanced_RTU_Modicon_Communication_Modules_Security_Notification_V3.0.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2022-193-03 du 12 juillet 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-193-03\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-193-03_Acti9_PowerTag_Link_C_Security_Notification.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2022-011-06 du 12 juillet 2022",
"url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-011-06_CODESYSV3_Runtime_Development_System_and_Gateway_Security_Notification.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-257-01 du 12 juillet 2022",
"url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2021-257-01_EcoStruxure_Control_Expert_EcoStruxure_Process_Expert_SCADAPack_Security_Notification_V3.0.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2022-067-02 du 12 juillet 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-067-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-067-02_APC-Smart-UPS_Security_Notification_V6.0.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2022-102-01 du 12 juillet 2022",
"url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-102-01_IGSS_Security_Notification_V2.0.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2022-193-04 du 12 juillet 2022",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-193-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-193-04_Easergy_P5_Security_Notification.pdf"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2021-222-02 du 12 juillet 2022",
"url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2021-222-02_AT%26T_Labs-XMILX_DEMILL_Eco_Struxure_Control_ExpertEco_Struxure_Process_Expert_SCADA_Pack_RemoteConnect_x70_Security_Notification_V4.0.pdf"
}
]
}
GHSA-HP56-5PMQ-V75C
Vulnerability from github – Published: 2022-05-24 17:49 – Updated: 2022-05-24 17:49
VLAI?
Details
The Package Manager of CODESYS Development System 3 before 3.5.17.0 does not check the validity of packages before installation and may be used to install CODESYS packages with malicious content.
{
"affected": [],
"aliases": [
"CVE-2021-29240"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-04T12:15:00Z",
"severity": "HIGH"
},
"details": "The Package Manager of CODESYS Development System 3 before 3.5.17.0 does not check the validity of packages before installation and may be used to install CODESYS packages with malicious content.",
"id": "GHSA-hp56-5pmq-v75c",
"modified": "2022-05-24T17:49:26Z",
"published": "2022-05-24T17:49:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29240"
},
{
"type": "WEB",
"url": "https://customers.codesys.com/index.php"
},
{
"type": "WEB",
"url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=14636\u0026token=1ce7e6e4cbe4651989ede418450d7c82e972bdf2\u0026download="
},
{
"type": "WEB",
"url": "https://www.codesys.com/security/security-reports.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GSD-2021-29240
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
The Package Manager of CODESYS Development System 3 before 3.5.17.0 does not check the validity of packages before installation and may be used to install CODESYS packages with malicious content.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-29240",
"description": "The Package Manager of CODESYS Development System 3 before 3.5.17.0 does not check the validity of packages before installation and may be used to install CODESYS packages with malicious content.",
"id": "GSD-2021-29240"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-29240"
],
"details": "The Package Manager of CODESYS Development System 3 before 3.5.17.0 does not check the validity of packages before installation and may be used to install CODESYS packages with malicious content.",
"id": "GSD-2021-29240",
"modified": "2023-12-13T01:23:36.564239Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29240",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Package Manager of CODESYS Development System 3 before 3.5.17.0 does not check the validity of packages before installation and may be used to install CODESYS packages with malicious content."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://customers.codesys.com/index.php",
"refsource": "MISC",
"url": "https://customers.codesys.com/index.php"
},
{
"name": "https://www.codesys.com/security/security-reports.html",
"refsource": "MISC",
"url": "https://www.codesys.com/security/security-reports.html"
},
{
"name": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=14636\u0026token=1ce7e6e4cbe4651989ede418450d7c82e972bdf2\u0026download=",
"refsource": "MISC",
"url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=14636\u0026token=1ce7e6e4cbe4651989ede418450d7c82e972bdf2\u0026download="
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:codesys:development_system:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.5.17.0",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29240"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The Package Manager of CODESYS Development System 3 before 3.5.17.0 does not check the validity of packages before installation and may be used to install CODESYS packages with malicious content."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://customers.codesys.com/index.php",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://customers.codesys.com/index.php"
},
{
"name": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=14636\u0026token=1ce7e6e4cbe4651989ede418450d7c82e972bdf2\u0026download=",
"refsource": "MISC",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=14636\u0026token=1ce7e6e4cbe4651989ede418450d7c82e972bdf2\u0026download="
},
{
"name": "https://www.codesys.com/security/security-reports.html",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://www.codesys.com/security/security-reports.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9
}
},
"lastModifiedDate": "2021-05-11T20:21Z",
"publishedDate": "2021-05-04T12:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…