PT-2021-2200 · Schneider Electric · Ecostruxure Power Build - Rapsody

Rgod

Published

2021-01-12

Updated

2022-01-31

CVE-2021-22698

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: EcoStruxure Power Build - Rapsody versions V2.1.13 and prior

Description: The issue is related to an unrestricted upload of files with dangerous types, which could lead to a stack-based buffer overflow and result in remote code execution when a malicious SSD file is uploaded and improperly parsed.

Recommendations: For EcoStruxure Power Build - Rapsody versions V2.1.13 and prior, consider restricting the upload of SSD files to prevent remote code execution until a patch is available. As a temporary workaround, avoid using the SSD file parsing functionality until the issue is resolved.

Fix

Unrestricted File Upload

Stack Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434CWE-121

Related Identifiers

BDU:2021-01109

CVE-2021-22698

ZDI-21-187

Affected Products

Ecostruxure Power Build - Rapsody

PT-2021-2200 · Schneider Electric · Ecostruxure Power Build - Rapsody

CVE-2021-22698

Weakness Enumeration

Related Identifiers

Affected Products

References · 12