Information Leak and Denial-of-Service Vulnerability in Capital Embedded AR Classic and PLUSCONTROL Products
CVE-2021-31345

7.5HIGH

Key Information:

Vendor
Siemens
Status
Capital Embedded Ar Classic 431-422
Capital Embedded Ar Classic R20-11
Pluscontrol 1st Gen
Vendor
CVE Published:
9 November 2021

Summary

A vulnerability exists in various versions of Capital Embedded AR Classic and PLUSCONTROL products, related to an unchecked total length of a UDP payload in the IP header. This oversight can manifest in multiple detrimental effects such as Information Leaks and Denial-of-Service (DoS) scenarios based on user-defined applications utilizing the UDP protocol.

Affected Version(s)

Capital Embedded AR Classic 431-422 0

Capital Embedded AR Classic R20-11 0

PLUSCONTROL 1st Gen All versions

References

https://cert-portal.siemens.com/productcert/pdf/ssa-11458...
x_refsource_MISC
https://cert-portal.siemens.com/productcert/pdf/ssa-04411...
x_refsource_MISC
https://cert-portal.siemens.com/productcert/pdf/ssa-62028...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.