CVE-2021-23281

Name of the Vulnerable Software and Affected Versions Eaton Intelligent Power Manager (IPM) versions prior to 1.69

Description The issue is related to incorrect code generation management in the coverterCheckList function of the meta driver srv.js class. This can be exploited by a remote attacker to execute arbitrary code by connecting to a false SNMP server and sending specially crafted malicious packets. The IPM software fails to sanitize the data provided via the coverterCheckList action, allowing attackers to send a specially crafted packet to make IPM connect to a rogue SNMP server and execute attacker-controlled code.

Recommendations For versions prior to 1.69, update to version 1.69 or later to resolve the issue. As a temporary workaround, consider restricting access to the coverterCheckList function in the meta driver srv.js class until a patch is available. Avoid using the coverterCheckList action in the affected API endpoint until the issue is resolved.