CVE-2021-42022

6.5MEDIUM

Key Information:

Vendor: Siemens
Status: Simatic Easie Pcs 7 Skill Package
Vendor: CVE Published:; 14 December 2021

Summary

A vulnerability has been identified in SIMATIC eaSie PCS 7 Skill Package (All versions < V21.00 SP3). When downloading files, the affected systems do not properly neutralize special elements within the pathname. An attacker could then cause the pathname to resolve to a location outside of the restricted directory on the server and read unexpected critical files. The affected file download function is disabled by default.

Affected Version(s)

SIMATIC eaSie PCS 7 Skill Package All versions < V21.00 SP3

References

https://cert-portal.siemens.com/productcert/pdf/ssa-19960...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 14, 2021
Vulnerability Reserved
Oct 6, 2021