CVE-2021-21864 — Deserialization of Untrusted Data in Codesys

CWE-502 — Deserialization of Untrusted Data5 documents4 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 74.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Codesys Codesys Development System

Timeline

PublishedAug 2

Latest updateMay 24

Description

A unsafe deserialization vulnerability exists in the ComponentModel ComponentManager.StartupCultureSettings functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶NVDcodesys/development_system3.5.16.0, 3.5.17.0+1

▶CVEListV5codesys/codesysCODESYS GmbH CODESYS Development System 3.5.16, CODESYS GmbH CODESYS Development System 3.5.17

Patches

Patch: customers.codesys.com ↗Patch: customers.codesys.com ↗

🔴Vulnerability Details

GHSA

GHSA-3xr7-46q2-56ff: A unsafe deserialization vulnerability exists in the ComponentModel ComponentManager↗2022-05-24

▶

CVEList

CVE-2021-21864: A unsafe deserialization vulnerability exists in the ComponentModel ComponentManager↗2021-08-02

▶

🕵️Threat Intelligence

Talos

Vulnerability Spotlight: Unsafe deserialization vulnerabilities in CODESYS Development System↗2021-07-26

▶

Talos

Vulnerability Spotlight: Unsafe deserialization vulnerabilities in CODESYS Development System↗2021-07-26

▶