CVE-2021-22698: Schneider Electric EcoStruxure Power Build SSD File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability
First published: Mon Jan 25 2021(Updated: )
A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists in the EcoStruxure Power Build - Rapsody software (V2.1.13 and prior) that could allow a stack-based buffer overflow to occur which could result in remote code execution when a malicious SSD file is uploaded and improperly parsed.
Credit: cybersecurity@se.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Schneider Electric EcoStruxure Power Build | ||
| Schneider-electric Ecostruxure Power Build - Rapsody | <=2.1.13 | |
| Schneider Electric CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Energy, Food and Agriculture, Government Facilities, Transportation Systems, Water and Wastewater Systems | ||
| Schneider Electric COUNTRIES/AREAS DEPLOYED: Worldwide | ||
| Schneider Electric COMPANY HEADQUARTERS LOCATION: France |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-22698?
CVE-2021-22698 is a vulnerability in Schneider Electric EcoStruxure Power Build that allows remote attackers to execute arbitrary code.
How does CVE-2021-22698 work?
To exploit CVE-2021-22698, the target must visit a malicious page or open a malicious file, and user interaction is required.
Which software is affected by CVE-2021-22698?
Schneider Electric EcoStruxure Power Build versions up to and including 2.1.13 are affected by CVE-2021-22698.
What is the severity of CVE-2021-22698?
CVE-2021-22698 has a severity rating of 7.8 out of 10, which is considered high.
How can I fix CVE-2021-22698?
It is recommended to update Schneider Electric EcoStruxure Power Build to version 2.1.14 or later to fix CVE-2021-22698.
- agent/weakness
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/title
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/references
- collector/zdi-advisory
- source/ZDI
- alias/ZDI-21-187
- alias/ZDI-CAN-11850
- alias/CVE-2021-22698
- agent/software-canonical-lookup
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/event
- agent/tags
- collector/ics-cert-advisory
- source/ICS
- vendor/schneider electric
- canonical/schneider electric ecostruxure power build
- vendor/schneider-electric
- canonical/schneider-electric ecostruxure power build - rapsody
- version/schneider-electric ecostruxure power build - rapsody/2.1.13
- canonical/schneider electric critical infrastructure sectors: commercial facilities, energy, food and agriculture, government facilities, transportation systems, water and wastewater systems
- canonical/schneider electric countries/areas deployed: worldwide
- canonical/schneider electric company headquarters location: france