Details of VAR-202107-0330

ID

VAR-202107-0330

CVE

CVE-2021-22780

TITLE

plural Schneider Electric Inadequate protection of credentials in products

Trust: 0.8

sources: JVNDB: JVNDB-2021-009772

DESCRIPTION

Insufficiently Protected Credentials vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), and SCADAPack RemoteConnect for x70, all versions, that could cause unauthorized access to a project file protected by a password when this file is shared with untrusted sources. An attacker may bypass the password protection and be able to view and modify a project file. EcoStruxure Control Expert , EcoStruxure Process Expert , SCADAPack RemoteConnect Exists in an inadequate protection of credentials.Information may be obtained and information may be tampered with. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.25

sources: NVD: CVE-2021-22780 // JVNDB: JVNDB-2021-009772 // CNNVD: CNNVD-202104-975 // VULMON: CVE-2021-22780

AFFECTED PRODUCTS

vendor:	schneider electric	model:	remoteconnect	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	ecostruxure control expert	scope:	lt	version:	15.0	Trust: 1.0
vendor:	schneider electric	model:	ecostruxure process expert	scope:	eq	version:	*	Trust: 1.0
vendor:	schneider electric	model:	ecostruxure control expert	scope:	eq	version:	15.0	Trust: 1.0
vendor:	schneider electric	model:	ecostruxure control expert	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	ecostruxure process expert	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	remoteconnect	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-009772 // NVD: CVE-2021-22780

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2021-22780
value:	HIGH
Trust: 1.8
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202107-1023
value:	HIGH
Trust: 0.6
VULMON:	CVE-2021-22780
value:	LOW
Trust: 0.1

NVD:	CVE-2021-22780
severity:	LOW
baseScore:	3.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	4.9
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	FALSE
version:	2.0
Trust: 1.9

NVD:	CVE-2021-22780
baseSeverity:	HIGH
baseScore:	7.1
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	1.8
impactScore:	5.2
version:	3.1
Trust: 1.0
NVD:	CVE-2021-22780
baseSeverity:	HIGH
baseScore:	7.1
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULMON: CVE-2021-22780 // JVNDB: JVNDB-2021-009772 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-1023 // NVD: CVE-2021-22780

PROBLEMTYPE DATA

problemtype:	CWE-522	Trust: 1.0
problemtype:	Inadequate protection of credentials (CWE-522) [ Other ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-009772 // NVD: CVE-2021-22780

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202107-1023

TYPE

other

Trust: 1.2

sources: CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-1023

CONFIGURATIONS

sources: NVD: CVE-2021-22780

PATCH

title:

SEVD-2021-194-01

url:

https://download.schneider-electric.com/files?p_doc_ref=sevd-2021-194-01

Trust: 0.8

sources: JVNDB: JVNDB-2021-009772

EXTERNAL IDS

db:	NVD	id:	CVE-2021-22780	Trust: 3.3
db:	SCHNEIDER	id:	SEVD-2021-194-01	Trust: 1.7
db:	JVN	id:	JVNVU97215148	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-009772	Trust: 0.8
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CS-HELP	id:	SB2021071414	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.2406	Trust: 0.6
db:	CNNVD	id:	CNNVD-202107-1023	Trust: 0.6
db:	VULMON	id:	CVE-2021-22780	Trust: 0.1

sources: VULMON: CVE-2021-22780 // JVNDB: JVNDB-2021-009772 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-1023 // NVD: CVE-2021-22780

REFERENCES

url:	http://download.schneider-electric.com/files?p_doc_ref=sevd-2021-194-01	Trust: 1.7
url:	https://jvn.jp/vu/jvnvu97215148/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-22780	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021071414	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.2406	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/522.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2021-22780 // JVNDB: JVNDB-2021-009772 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-1023 // NVD: CVE-2021-22780

SOURCES

db:	VULMON	id:	CVE-2021-22780
db:	JVNDB	id:	JVNDB-2021-009772
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202107-1023
db:	NVD	id:	CVE-2021-22780

LAST UPDATE DATE

2022-05-21T20:57:03.209000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2021-22780	date:	2021-07-26T00:00:00
db:	JVNDB	id:	JVNDB-2021-009772	date:	2022-05-19T08:45:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202107-1023	date:	2021-08-12T00:00:00
db:	NVD	id:	CVE-2021-22780	date:	2021-07-26T13:58:00

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2021-22780	date:	2021-07-14T00:00:00
db:	JVNDB	id:	JVNDB-2021-009772	date:	2022-05-19T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202107-1023	date:	2021-07-14T00:00:00
db:	NVD	id:	CVE-2021-22780	date:	2021-07-14T15:15:00