CVE-2021-22797: Path Traversal
First published: Mon Mar 28 2022(Updated: )
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal) vulnerability exists that could cause malicious script to be deployed in an unauthorized location and may result in code execution on the engineering workstation when a malicious project file is loaded in the engineering software. Affected Product: EcoStruxure Control Expert (V15.0 SP1 and prior, including former Unity Pro), EcoStruxure Process Expert (2020 and prior, including former HDCS), SCADAPack RemoteConnect for x70 (All versions)
Credit: cybersecurity@se.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Schneider-electric Ecostruxure Control Expert | <15.1 | |
| Schneider-electric Ecostruxure Process Expert | <2021 | |
| Schneider-electric Remoteconnect | ||
| Schneider-electric Scadapack 470 | ||
| Schneider-electric Scadapack 474 | ||
| Schneider-electric Scadapack 570 | ||
| Schneider-electric Scadapack 574 | ||
| Schneider-electric Scadapack 575 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-22797?
CVE-2021-22797 is a Path Traversal vulnerability that allows malicious scripts to be deployed in unauthorized locations, potentially resulting in code execution.
In which software is CVE-2021-22797 found?
CVE-2021-22797 is found in Schneider-electric Ecostruxure Control Expert, Schneider-electric Ecostruxure Process Expert, and Schneider-electric Remoteconnect.
What is the severity level of CVE-2021-22797?
CVE-2021-22797 has a severity level of 7.8 (Critical).
How can CVE-2021-22797 be exploited?
CVE-2021-22797 can be exploited by loading a malicious project file in the affected software.
Is CVE-2021-22797 patched?
There is no information available about CVE-2021-22797 being patched at the moment. It is recommended to follow the recommendations provided by the vendor.
- collector/nvd-index
- agent/weakness
- agent/tags
- agent/event
- agent/references
- agent/severity
- agent/author
- agent/type
- agent/description
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- vendor/schneider-electric
- canonical/schneider-electric ecostruxure control expert
- canonical/schneider-electric ecostruxure process expert
- canonical/schneider-electric remoteconnect
- canonical/schneider-electric scadapack 470
- canonical/schneider-electric scadapack 474
- canonical/schneider-electric scadapack 570
- canonical/schneider-electric scadapack 574
- canonical/schneider-electric scadapack 575