Details of VAR-202107-0328

ID

VAR-202107-0328

CVE

CVE-2021-22778

TITLE

plural Schneider Electric Inadequate protection of credentials in products

Trust: 0.8

sources: JVNDB: JVNDB-2021-009774

DESCRIPTION

Insufficiently Protected Credentials vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), and SCADAPack RemoteConnect for x70, all versions, that could cause protected derived function blocks to be read or modified by unauthorized users when accessing a project file. EcoStruxure Control Expert , EcoStruxure Process Expert , SCADAPack RemoteConnect Exists in an inadequate protection of credentials.Information may be obtained and information may be tampered with. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.25

sources: NVD: CVE-2021-22778 // JVNDB: JVNDB-2021-009774 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-22778

AFFECTED PRODUCTS

vendor:	schneider electric	model:	remoteconnect	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	ecostruxure control expert	scope:	lt	version:	15.0	Trust: 1.0
vendor:	schneider electric	model:	ecostruxure process expert	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	ecostruxure control expert	scope:	eq	version:	15.0	Trust: 1.0
vendor:	schneider electric	model:	ecostruxure control expert	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	ecostruxure process expert	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	remoteconnect	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-009774 // NVD: CVE-2021-22778

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2021-22778
value:	HIGH
Trust: 1.8
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202107-1033
value:	HIGH
Trust: 0.6
VULMON:	CVE-2021-22778
value:	LOW
Trust: 0.1

NVD:	CVE-2021-22778
severity:	LOW
baseScore:	3.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	4.9
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	FALSE
version:	2.0
Trust: 1.9

NVD:	CVE-2021-22778
baseSeverity:	HIGH
baseScore:	7.1
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	1.8
impactScore:	5.2
version:	3.1
Trust: 1.0
NVD:	CVE-2021-22778
baseSeverity:	HIGH
baseScore:	7.1
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULMON: CVE-2021-22778 // JVNDB: JVNDB-2021-009774 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-1033 // NVD: CVE-2021-22778

PROBLEMTYPE DATA

problemtype:	CWE-522	Trust: 1.0
problemtype:	Inadequate protection of credentials (CWE-522) [ Other ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-009774 // NVD: CVE-2021-22778

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202107-1033

TYPE

other

Trust: 1.2

sources: CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-1033

CONFIGURATIONS

sources: NVD: CVE-2021-22778

PATCH

title:

SEVD-2021-194-01

url:

https://download.schneider-electric.com/files?p_doc_ref=sevd-2021-194-01

Trust: 0.8

sources: JVNDB: JVNDB-2021-009774

EXTERNAL IDS

db:	NVD	id:	CVE-2021-22778	Trust: 3.3
db:	SCHNEIDER	id:	SEVD-2021-194-01	Trust: 1.7
db:	JVN	id:	JVNVU97215148	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-009774	Trust: 0.8
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CS-HELP	id:	SB2021071414	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.2406	Trust: 0.6
db:	CNNVD	id:	CNNVD-202107-1033	Trust: 0.6
db:	VULMON	id:	CVE-2021-22778	Trust: 0.1

sources: VULMON: CVE-2021-22778 // JVNDB: JVNDB-2021-009774 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-1033 // NVD: CVE-2021-22778

REFERENCES

url:	http://download.schneider-electric.com/files?p_doc_ref=sevd-2021-194-01	Trust: 1.7
url:	https://jvn.jp/vu/jvnvu97215148/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-22778	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021071414	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.2406	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/522.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2021-22778 // JVNDB: JVNDB-2021-009774 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-1033 // NVD: CVE-2021-22778

SOURCES

db:	VULMON	id:	CVE-2021-22778
db:	JVNDB	id:	JVNDB-2021-009774
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202107-1033
db:	NVD	id:	CVE-2021-22778

LAST UPDATE DATE

2022-05-21T21:14:30.224000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2021-22778	date:	2021-07-26T00:00:00
db:	JVNDB	id:	JVNDB-2021-009774	date:	2022-05-19T08:53:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202107-1033	date:	2021-08-12T00:00:00
db:	NVD	id:	CVE-2021-22778	date:	2021-07-26T12:59:00

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2021-22778	date:	2021-07-14T00:00:00
db:	JVNDB	id:	JVNDB-2021-009774	date:	2022-05-19T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202107-1033	date:	2021-07-14T00:00:00
db:	NVD	id:	CVE-2021-22778	date:	2021-07-14T15:15:00