CVE-2021-22704

Description

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory vulnerability exists in Harmony/HMI Products Configured by Vijeo Designer (all versions prior to V6.2 SP11 ), Vijeo Designer Basic (all versions prior to V1.2), or EcoStruxure Machine Expert (all versions prior to V2.0) that could cause a Denial of Service or unauthorized access to system information when connecting to the Harmony HMI over FTP.

Related CPE's

aschneider-electricvijeo_designer********

hschneider-electricharmony_stu-*******

hschneider-electricharmony_gto-*******

hschneider-electricharmony_gk-*******

hschneider-electricharmony_gtu-*******

hschneider-electricharmony_gtux-*******

hschneider-electricharmony_sto-*******

aschneider-electricvijeo_designer****basic***

hschneider-electricharmony_gxu-*******

aschneider-electricecostruxure_machine_expert********

References

http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-222-01

Vendor Advisory

CvssV3 impact

BaseSeverity

CRITICAL

ConfidentialityImpact

HIGH

AttackComplexity

LOW

Scope

UNCHANGED

AttackVector

NETWORK

AvailabilityImpact

HIGH

IntegrityImpact

NONE

PrivilegesRequired

NONE

BaseScore

9.1

VectorString

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Version

3.1

UserInteraction

NONE

CvssV2 impact

AccessComplexity

LOW

ConfidentialityImpact

PARTIAL

AvailabilityImpact

PARTIAL

IntegrityImpact

NONE

BaseScore

6.400000095367432

VectorString

AV:N/AC:L/Au:N/C:P/I:N/A:P

Version

2.0

AccessVector

NETWORK

Authentication

NONE

Created by Yello
About Severity.io