ID
VAR-202109-1928
CVE
CVE-2021-22794
TITLE
Schneider Electric Struxureware Data Center Expert Directory Traversal Remote Code Execution Vulnerability
Trust: 0.7
DESCRIPTION
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric Struxureware Data Center Expert. Authentication is required to exploit this vulnerability.The specific flaw exists within the handling of firmware updates. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of root
Trust: 0.72
AFFECTED PRODUCTS
| vendor: | schneider electric | model: | struxureware data center expert | scope: | - | version: | - | Trust: 0.7 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | |||||||||||||||||||||||||||||||||||||||||
|
|
THREAT TYPE
remote
Trust: 0.6
TYPE
path traversal
Trust: 0.6
PATCH
| title: | Schneider Electric has issued an update to correct this vulnerability. | url: | https://us-cert.cisa.gov/ics/advisories/icsa-21-257-03 | Trust: 0.7 |
| title: | Schneider Electric Struxureware Data Center Expert Repair measures for path traversal vulnerabilities | url: | http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=162792 | Trust: 0.6 |
EXTERNAL IDS
| db: | NVD | id: | CVE-2021-22794 | Trust: 1.4 |
| db: | ZDI | id: | ZDI-21-1071 | Trust: 1.4 |
| db: | ZDI_CAN | id: | ZDI-CAN-13077 | Trust: 0.7 |
| db: | MCAFEE | id: | SB20210 | Trust: 0.6 |
| db: | AUSCERT | id: | ESB-2021.3095 | Trust: 0.6 |
| db: | ICS CERT | id: | ICSA-21-257-03 | Trust: 0.6 |
| db: | CNNVD | id: | CNNVD-202109-990 | Trust: 0.6 |
| db: | VULMON | id: | CVE-2021-22794 | Trust: 0.1 |
REFERENCES
| url: | https://us-cert.cisa.gov/ics/advisories/icsa-21-257-03 | Trust: 1.3 |
| url: | https://www.zerodayinitiative.com/advisories/zdi-21-1071/ | Trust: 0.7 |
| url: | https://www.cybersecurity-help.cz/vdb/sb2021091511 | Trust: 0.6 |
| url: | https://www.auscert.org.au/bulletins/esb-2021.3095 | Trust: 0.6 |
CREDITS
David Yesland
Trust: 1.3
SOURCES
| db: | CNNVD | id: | CNNVD-202109-990 |
| db: | VULMON | id: | CVE-2021-22794 |
| db: | ZDI | id: | ZDI-21-1071 |
LAST UPDATE DATE
2021-12-18T15:40:54.484000+00:00
SOURCES UPDATE DATE
| db: | CNNVD | id: | CNNVD-202109-990 | date: | 2021-09-16T00:00:00 |
| db: | VULMON | id: | CVE-2021-22794 | date: | - |
| db: | ZDI | id: | ZDI-21-1071 | date: | 2021-09-15T00:00:00 |
SOURCES RELEASE DATE
| db: | CNNVD | id: | CNNVD-202109-990 | date: | 2021-09-14T00:00:00 |
| db: | VULMON | id: | CVE-2021-22794 | date: | - |
| db: | ZDI | id: | ZDI-21-1071 | date: | 2021-09-15T00:00:00 |