Information Leak and Denial-of-Service Vulnerability in Capital Embedded AR Classic and PLUSCONTROL Products
CVE-2021-31345

7.5HIGH

Key Information:

Vendor: Siemens
Status: Capital Embedded Ar Classic 431-422; Capital Embedded Ar Classic R20-11; Pluscontrol 1st Gen
Vendor: CVE Published:; 9 November 2021

What is CVE-2021-31345?

A vulnerability exists in various versions of Capital Embedded AR Classic and PLUSCONTROL products, related to an unchecked total length of a UDP payload in the IP header. This oversight can manifest in multiple detrimental effects such as Information Leaks and Denial-of-Service (DoS) scenarios based on user-defined applications utilizing the UDP protocol.

Affected Version(s)

Capital Embedded AR Classic 431-422 0

Capital Embedded AR Classic R20-11 0

PLUSCONTROL 1st Gen All versions

References

https://cert-portal.siemens.com/productcert/pdf/ssa-11458...

x_refsource_MISC

https://cert-portal.siemens.com/productcert/pdf/ssa-04411...

x_refsource_MISC

https://cert-portal.siemens.com/productcert/pdf/ssa-62028...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 9, 2021
Vulnerability Reserved
Apr 15, 2021

Siemens

What is CVE-2021-31345?

Affected Version(s)

References

CVSS V3.1

Timeline