CVE-2021-22799 - OpenCVE

A CWE-331: Insufficient Entropy vulnerability exists that could cause unintended connection from an internal network to an external network when an attacker manages to decrypt the SESU proxy password from the registry. Affected Product: Schneider Electric Software Update, V2.3.0 through V2.5.1

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Schneider-electric	Software Update

Configuration 1 [-]

cpe:2.3:a:schneider-electric:software_update:*:*:*:*:*:*:*:*

References

Link	Resource
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-313-02	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: schneider

Published: 2022-01-28T19:09:42

Updated: 2022-01-28T19:09:41

Reserved: 2021-01-06T00:00:00

Link: CVE-2021-22799

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-01-28T20:15:09.770

Modified: 2022-02-03T14:59:23.503

Link: CVE-2021-22799

JSON object: View

Redhat Information

No data.

CWE

CWE-331

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:software_update:*:*:*:*:*:*:*:*", "matchCriteriaId": "BCC1E042-7930-4E73-A79D-51B7A7777CBA", "versionEndExcluding": "2.5.2", "versionStartIncluding": "2.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A CWE-331: Insufficient Entropy vulnerability exists that could cause unintended connection from an internal network to an external network when an attacker manages to decrypt the SESU proxy password from the registry. Affected Product: Schneider Electric Software Update, V2.3.0 through V2.5.1"}, {"lang": "es", "value": "Una CWE-331: Se presenta una vulnerabilidad de Entrop\u00eda Insuficiente que podr\u00eda causar una conexi\u00f3n no intencionada desde una red interna a una red externa cuando un atacante consigue descifrar la contrase\u00f1a del proxy SESU desde el registro. Producto afectado: Schneider Electric Software Update, V2.3.0 hasta V2.5.1"}], "id": "CVE-2021-22799", "lastModified": "2022-02-03T14:59:23.503", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-28T20:15:09.770", "references": [{"source": "cybersecurity@se.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-313-02"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-331"}], "source": "nvd@nist.gov", "type": "Primary"}]}