PT-2021-7843 · 3S Smart Software Solutions · Codesys Development System
Patrick Desantis
·
Published
2021-08-25
·
Updated
2022-09-30
·
CVE-2021-21869
CVSS v2.0
10
High
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
CODESYS Development System versions 3.5.16 through 3.5.17
Description
The issue is related to an unsafe deserialization vulnerability in the Engine.plugin ProfileInformation ProfileData functionality. This vulnerability can be exploited by providing a specially crafted file, leading to arbitrary command execution. An attacker can trigger this vulnerability by providing a malicious file.
Recommendations
For versions 3.5.16 and 3.5.17, consider disabling the Engine.plugin ProfileInformation ProfileData functionality until a patch is available to prevent exploitation. Restrict access to the Engine.plugin to minimize the risk of arbitrary command execution. Avoid using malicious files that can trigger this vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Codesys Development System