CVE-2021-22699 - OpenCVE

Improper Input Validation vulnerability exists in Modicon M241/M251 logic controllers firmware prior to V5.1.9.1 that could cause denial of service when specific crafted requests are sent to the controller over HTTP.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

AV:N/AC:L/Au:N/C:N/I:N/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Schneider-electric	Modicon M241 Modicon M241 Firmware Modicon M251 Modicon M251 Firmware

Configuration 1 [-]

AND

cpe:2.3:h:schneider-electric:modicon_m241:-:*:*:*:*:*:*:*

cpe:2.3:o:schneider-electric:modicon_m241_firmware:*:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:h:schneider-electric:modicon_m251:-:*:*:*:*:*:*:*

cpe:2.3:o:schneider-electric:modicon_m251_firmware:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-130-05

History

No history.

MITRE

Status: PUBLISHED

Assigner: schneider

Published: 2021-05-26T19:19:13

Updated: 2024-08-03T18:51:07.223Z

Reserved: 2021-01-06T00:00:00

Link: CVE-2021-22699

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-05-26T20:15:08.863

Modified: 2022-02-03T16:14:39.753

Link: CVE-2021-22699

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Modicon M241/M251 logic controllers firmware prior to V5.1.9.1", "vendor": "n/a", "versions": [{"status": "affected", "version": "Modicon M241/M251 logic controllers firmware prior to V5.1.9.1"}]}], "descriptions": [{"lang": "en", "value": "Improper Input Validation vulnerability exists in Modicon M241/M251 logic controllers firmware prior to V5.1.9.1 that could cause denial of service when specific crafted requests are sent to the controller over HTTP."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20: Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-26T19:19:13", "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-130-05"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cybersecurity@schneider-electric.com", "ID": "CVE-2021-22699", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Modicon M241/M251 logic controllers firmware prior to V5.1.9.1", "version": {"version_data": [{"version_value": "Modicon M241/M251 logic controllers firmware prior to V5.1.9.1"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Improper Input Validation vulnerability exists in Modicon M241/M251 logic controllers firmware prior to V5.1.9.1 that could cause denial of service when specific crafted requests are sent to the controller over HTTP."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20: Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-130-05", "refsource": "MISC", "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-130-05"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:51:07.223Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-130-05"}]}]}, "cveMetadata": {"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "assignerShortName": "schneider", "cveId": "CVE-2021-22699", "datePublished": "2021-05-26T19:19:13", "dateReserved": "2021-01-06T00:00:00", "dateUpdated": "2024-08-03T18:51:07.223Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:schneider-electric:modicon_m241:-:*:*:*:*:*:*:*", "matchCriteriaId": "4D8FD9D9-F59F-470E-9F7F-CDDD80B0633C", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:schneider-electric:modicon_m241_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "065A43F6-B681-4E77-928F-21C7D0304E8F", "versionEndExcluding": "5.1.9.1", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:schneider-electric:modicon_m251:-:*:*:*:*:*:*:*", "matchCriteriaId": "B8E03A25-B0B6-4BA2-80BC-52C16A6837E0", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:schneider-electric:modicon_m251_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "A1E8B350-5B42-4D18-B7A4-A232BC947727", "versionEndExcluding": "5.1.9.1", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Input Validation vulnerability exists in Modicon M241/M251 logic controllers firmware prior to V5.1.9.1 that could cause denial of service when specific crafted requests are sent to the controller over HTTP."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de Comprobaci\u00f3n Inapropiada de Entrada en los controladores l\u00f3gicos Modicon M241/M251 versiones del firmware anteriores a V5.1.9.1, que podr\u00eda causar una denegaci\u00f3n de servicio cuando peticiones espec\u00edficas dise\u00f1adas son enviadas al controlador a trav\u00e9s de HTTP"}], "id": "CVE-2021-22699", "lastModified": "2022-02-03T16:14:39.753", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.8, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-26T20:15:08.863", "references": [{"source": "cybersecurity@se.com", "tags": ["Vendor Advisory"], "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-130-05"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "cybersecurity@se.com", "type": "Primary"}]}