7.5

CVE-2021-20827

EPSS 0.15%
Veröffentlicht 24.12.2021 07:15:06
Zuletzt bearbeitet 21.11.2024 05:47:14
Quelle vultures@jpcert.or.jp
CVE-Watchlists
Login
Unerledigt
Login

Plaintext storage of a password vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the attacker may access the PLC Web server and hijack the PLC, and manipulation of the PLC output and/or suspension of the PLC may be conducted.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Idec ≫ Microsmart Fc6a Firmware Version <= 2.32

Idec ≫ Microsmart Fc6a Version-

Idec ≫ Microsmart Plus Fc6a Firmware Version <= 1.91

Idec ≫ Microsmart Plus Fc6a Version-

Idec ≫ Data File Manager Version <= 2.12.1

Idec ≫ Windedit Version <= 1.3.1

Idec ≫ Windldr Version <= 8.19.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.15%	0.322

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-312 Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

https://jvn.jp/en/vu/JVNVU92279973/index.html

Third Party Advisory

https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-20827

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-20827

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-20827

EUVD