CVE-2021-21863
First published: Thu Aug 05 2021(Updated: )
A unsafe deserialization vulnerability exists in the ComponentModel Profile.FromFile() functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability.
Credit: talos-cna@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| CODESYS Development System | =3.5.16.0 | |
| CODESYS Development System | =3.5.17.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2021-21863.
What is the severity of CVE-2021-21863?
The severity of CVE-2021-21863 is high with a CVSS severity score of 7.8.
Which software is affected by CVE-2021-21863?
CODESYS Development System versions 3.5.16 and 3.5.17 are affected by CVE-2021-21863.
How does the vulnerability in ComponentModel Profile.FromFile() functionality occur?
The vulnerability occurs due to an unsafe deserialization issue in the ComponentModel Profile.FromFile() functionality of CODESYS Development System.
Can an attacker exploit the vulnerability to execute arbitrary commands?
Yes, an attacker can exploit the vulnerability to execute arbitrary commands by providing a specially crafted file.
- collector/nvd-index
- agent/tags
- agent/type
- agent/event
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/description
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- vendor/codesys
- canonical/codesys development system
- version/codesys development system/3.5.16.0
- version/codesys development system/3.5.17.0