CVE-2021-21868

Name of the Vulnerable Software and Affected Versions CODESYS Development System versions 3.5.16 through 3.5.17

Description An unsafe deserialization vulnerability exists in the ObjectManager.plugin Project.get MissingTypes() functionality. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability.

Recommendations For versions 3.5.16 and 3.5.17, consider disabling the Project.get MissingTypes() function in the ObjectManager.plugin until a patch is available to prevent exploitation. Restrict access to the ObjectManager.plugin to minimize the risk of arbitrary command execution. Avoid using malicious files that can trigger this vulnerability until the issue is resolved.