Unrestricted File Upload Vulnerability in EcoStruxure Power Build Software by Schneider Electric
CVE-2021-22698

7.8HIGH

Key Information:

Vendor
Schneider Electric
Status
ecostruxure Power Build - Rapsody Software V2.1.13 And Prior.
Vendor
CVE Published:
26 January 2021

Summary

An unrestricted file upload vulnerability exists in the EcoStruxure Power Build - Rapsody software. This flaw allows malicious users to upload a specially crafted SSD file that can lead to a stack-based buffer overflow. If exploited, it may enable remote code execution due to the improper parsing of files within the software. Affected versions include V2.1.13 and earlier, highlighting the need for immediate attention to security practices to mitigate risks associated with this vulnerability.

Affected Version(s)

 EcoStruxure Power Build - Rapsody software V2.1.13 and prior.  EcoStruxure Power Build - Rapsody software V2.1.13 and prior.

References

https://www.se.com/ww/en/download/document/SEVD-2021-012-02/
x_refsource_MISC
https://www.zerodayinitiative.com/advisories/ZDI-21-187/
x_refsource_MISC
https://us-cert.cisa.gov/ics/advisories/icsa-21-012-01
x_refsource_MISC

EPSS Score

10% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.