First published: Mon Aug 02 2021(Updated: )
A unsafe deserialization vulnerability exists in the ObjectManager.plugin ProfileInformation.ProfileData functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability.
Credit: talos-cna@cisco.com
Affected Software | Affected Version | How to fix |
---|---|---|
CODESYS Development System | =3.5.16.0 | |
CODESYS Development System | =3.5.17.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-21866 is an unsafe deserialization vulnerability in the ObjectManager.plugin ProfileInformation.ProfileData functionality of CODESYS Development System 3.5.16 and 3.5.17.
CVE-2021-21866 allows an attacker to execute arbitrary commands by providing a specially crafted file.
CVE-2021-21866 has a severity rating of 7.8 (high).
To fix CVE-2021-21866, it is recommended to update to a patched version of CODESYS Development System (3.5.18 or later) when it becomes available, or apply any recommended security patches provided by the vendor.
CVE-2021-21866 is associated with CWE-502 (Deserialization of Untrusted Data).