Unrestricted File Upload Vulnerability in EcoStruxure Power Build by Schneider Electric
CVE-2021-22697

7.8HIGH

Key Information:

Vendor
Schneider Electric
Status
ecostruxure Power Build - Rapsody Software V2.1.13 And Prior.
Vendor
CVE Published:
26 January 2021

Summary

A vulnerability exists in EcoStruxure Power Build - Rapsody software that allows for the unrestricted upload of potentially dangerous file types. This flaw could lead to a use-after-free condition, enabling attackers to execute arbitrary code remotely when a malicious SSD file is uploaded and improperly processed, which may compromise the integrity and security of the affected system.

Affected Version(s)

 EcoStruxure Power Build - Rapsody software V2.1.13 and prior.  EcoStruxure Power Build - Rapsody software V2.1.13 and prior.

References

https://www.se.com/ww/en/download/document/SEVD-2021-012-02/
x_refsource_MISC
https://www.zerodayinitiative.com/advisories/ZDI-21-186/
x_refsource_MISC
https://us-cert.cisa.gov/ics/advisories/icsa-21-012-01
x_refsource_MISC

EPSS Score

7% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.