CVE-2021-21863 — Deserialization of Untrusted Data in Codesys

CWE-502 — Deserialization of Untrusted Data5 documents4 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 75.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Codesys Codesys Development System

Timeline

PublishedAug 5

Latest updateMay 24

Description

A unsafe deserialization vulnerability exists in the ComponentModel Profile.FromFile() functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶NVDcodesys/development_system3.5.16.0, 3.5.17.0+1

▶CVEListV5codesys/codesysCODESYS GmbH CODESYS Development System 3.5.16 ,CODESYS GmbH CODESYS Development System 3.5.17

Patches

Patch: customers.codesys.com ↗Patch: customers.codesys.com ↗

🔴Vulnerability Details

GHSA

GHSA-v772-f3j5-f44j: A unsafe deserialization vulnerability exists in the ComponentModel Profile↗2022-05-24

▶

CVEList

CVE-2021-21863: A unsafe deserialization vulnerability exists in the ComponentModel Profile↗2021-08-05

▶

🕵️Threat Intelligence

Talos

Vulnerability Spotlight: Unsafe deserialization vulnerabilities in CODESYS Development System↗2021-07-26

▶

Talos

Vulnerability Spotlight: Unsafe deserialization vulnerabilities in CODESYS Development System↗2021-07-26

▶