Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-22704

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory vulnerability exists in Harmony/HMI Products Configured by Vijeo Designer (all versions prior to V6.2 SP11 ), Vijeo Designer Basic (all versions prior to V1.2), or EcoStruxure Machine Expert (all versions prior to V2.0) that could cause a Denial of Service or unauthorized access to system information when connecting to the Harmony HMI over FTP.

Published

2021-09-02T17:15:08.060

Last Modified

2024-11-21T05:50:29.773

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.1 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

4.9

Weaknesses

Type: Primary
CWE-22

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	schneider-electric	vijeo_designer	< 6.2.11	Yes
Hardware	schneider-electric	harmony_gk	-	No
Hardware	schneider-electric	harmony_gto	-	No
Hardware	schneider-electric	harmony_gtu	-	No
Hardware	schneider-electric	harmony_gtux	-	No
Hardware	schneider-electric	harmony_sto	-	No
Hardware	schneider-electric	harmony_stu	-	No
Application	schneider-electric	vijeo_designer	< 1.2	Yes
Hardware	schneider-electric	harmony_gxu	-	No
Application	schneider-electric	ecostruxure_machine_expert	< 2.0	Yes
Application	schneider-electric	ecostruxure_machine_expert	2.0	Yes
Hardware	schneider-electric	harmony_scu	-	No

References

http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-222-01 Vendor Advisory ([email protected])
http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-222-01 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)