PT-2021-23473 · Siemens · Simatic Easie Pcs 7 Skill Package

Published

2021-12-14

Updated

2021-12-17

CVE-2021-42022

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions SIMATIC eaSie PCS 7 Skill Package versions prior to V21.00 SP3

Description A vulnerability has been identified where the affected systems do not properly neutralize special elements within the pathname when downloading files. This could allow an attacker to cause the pathname to resolve to a location outside of the restricted directory on the server and read unexpected critical files. The affected file download function is disabled by default.

Recommendations For versions prior to V21.00 SP3, update to version V21.00 SP3 or later to resolve the issue. As a temporary workaround, consider keeping the affected file download function disabled until a patch is applied.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2021-42022

Affected Products

Simatic Easie Pcs 7 Skill Package

PT-2021-23473 · Siemens · Simatic Easie Pcs 7 Skill Package

CVE-2021-42022

Weakness Enumeration

Related Identifiers

Affected Products

References · 3