CVE-2021-22697: Schneider Electric EcoStruxure Power Build SSD File Parsing Use-After-Free Remote Code Execution Vulnerability
First published: Mon Jan 25 2021(Updated: )
A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists in the EcoStruxure Power Build - Rapsody software (V2.1.13 and prior) that could allow a use-after-free condition which could result in remote code execution when a malicious SSD file is uploaded and improperly parsed.
Credit: cybersecurity@se.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Schneider Electric EcoStruxure Power Build | ||
| Schneider-electric Ecostruxure Power Build - Rapsody | <=2.1.13 | |
| Schneider Electric CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Energy, Food and Agriculture, Government Facilities, Transportation Systems, Water and Wastewater Systems | ||
| Schneider Electric COUNTRIES/AREAS DEPLOYED: Worldwide | ||
| Schneider Electric COMPANY HEADQUARTERS LOCATION: France |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2021-22697?
The severity of CVE-2021-22697 is high with a CVSS score of 7.8.
How does CVE-2021-22697 affect Schneider Electric EcoStruxure Power Build?
CVE-2021-22697 allows remote attackers to execute arbitrary code on affected installations of Schneider Electric EcoStruxure Power Build.
What actions are required to exploit CVE-2021-22697?
To exploit CVE-2021-22697, user interaction is required, such as visiting a malicious page or opening a malicious file.
Which versions of Schneider Electric EcoStruxure Power Build are affected by CVE-2021-22697?
Schneider Electric EcoStruxure Power Build version 2.1.13 is affected by CVE-2021-22697.
Are there any advisories or references available for CVE-2021-22697?
Yes, you can refer to the following advisories for more information on CVE-2021-22697: [US-CERT ICSA-21-012-01](https://us-cert.cisa.gov/ics/advisories/icsa-21-012-01), [Schneider Electric SEVD-2021-012-02](https://www.se.com/ww/en/download/document/SEVD-2021-012-02/), [ZDI-21-186](https://www.zerodayinitiative.com/advisories/ZDI-21-186/).
- agent/weakness
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/title
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/references
- collector/zdi-advisory
- source/ZDI
- alias/ZDI-21-186
- alias/ZDI-CAN-11849
- alias/CVE-2021-22697
- agent/software-canonical-lookup
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/event
- agent/tags
- collector/ics-cert-advisory
- source/ICS
- alias/CVE-2021-22698
- vendor/schneider electric
- canonical/schneider electric ecostruxure power build
- vendor/schneider-electric
- canonical/schneider-electric ecostruxure power build - rapsody
- version/schneider-electric ecostruxure power build - rapsody/2.1.13
- canonical/schneider electric critical infrastructure sectors: commercial facilities, energy, food and agriculture, government facilities, transportation systems, water and wastewater systems
- canonical/schneider electric countries/areas deployed: worldwide
- canonical/schneider electric company headquarters location: france