CVE-2021-38399 HIGH

Published: 2022-10-28 | Last Modified: 2024-11-21 | Status: Modified

Description

Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to relative path traversal, which may allow an attacker access to unauthorized files and directories.

Additional Descriptions (1)

Los controladores Honeywell Experion PKS C200, C200E, C300 y ACE son vulnerables al Path Traversal relativa, lo que puede permitir que un atacante acceda a archivos y directorios no autorizados.

CVSS Metrics

Base Score: 7.5 (HIGH)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector	NETWORK
Attack Complexity	LOW
Privileges Required	NONE
User Interaction	NONE
Scope	UNCHANGED
Confidentiality Impact	HIGH
Integrity Impact	NONE
Availability Impact	NONE

Source: [email protected]

Type: Primary

Exploitability Score: 3.9

Impact Score: 3.6

Weaknesses

Source	Type	Description
[email protected]	Secondary	en CWE-23
[email protected]	Primary	en CWE-22

Affected Products

Vendor	Product	Version	Update	Type
honeywell	c200_firmware	-	<built-in method update of dict object at 0x7c3c2ab0d9c0>	Operating System
honeywell	c200e_firmware	-	<built-in method update of dict object at 0x7c3c40d4de80>	Operating System
honeywell	c300_firmware	-	<built-in method update of dict object at 0x7c3c2ab0e580>	Operating System
honeywell	application_control_environment_firmware	-	<built-in method update of dict object at 0x7c3c32d50a80>	Operating System

Affected Configurations

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:honeywell:c200_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:honeywell:c200:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:honeywell:c200e_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:honeywell:c200e:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:honeywell:c300_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:honeywell:c300:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:honeywell:application_control_environment_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:honeywell:application_control_environment:-:::::::*`

References

https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04
Source: [email protected]

Third Party Advisory US Government Resource
https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf
Source: [email protected]

Product
https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory US Government Resource
https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf
Source: af854a3a-2127-422b-91ae-364da2661108

Product