CVE-2021-38434
published 2021-10-18CVE-2021-38434: FATEK Automation WinProladder versions 3.30 and prior lacks proper validation of user-supplied data when parsing project files, which could result in an…
PriorityP339high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
0.91%
55.5th percentile
FATEK Automation WinProladder versions 3.30 and prior lacks proper validation of user-supplied data when parsing project files, which could result in an unexpected sign extension. An attacker could leverage this vulnerability to execute arbitrary code.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fatek | winproladder | <= 3.30 | — |
| fatek_automation | winproladder | All – 3.30 | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
FATEK Automation WinProladder
cisa_ics·2021-11-16·CVSS 7.8
[HIGH] FATEK Automation WinProladder
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
FATEK Automation WinProladder
Last RevisedNovember 16, 2021
Alert CodeICSA-21-280-06
## 1. EXECUTIVE SUMMARY
- CVSS v3 7.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: FATEK Automation
- Equipment: WinProladder
- Vulnerabilities: Out-of-bounds Write, Out-of-bounds Read, Unexpected Sign Extension, Stack-based Buffer Overflow, Improper Restriction of Operations within the Bounds of a Memory Buffer, Use After Free
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities may allow arbitrary code execution, remote code execution, heap corrupti
GHSA
GHSA-rq4p-mwvq-fhvq: FATEK Automation WinProladder versions 3
ghsa_unreviewed·2022-05-24
CVE-2021-38434 [HIGH] CWE-194 GHSA-rq4p-mwvq-fhvq: FATEK Automation WinProladder versions 3
FATEK Automation WinProladder versions 3.30 and prior lacks proper validation of user-supplied data when parsing project files, which could result in an unexpected sign extension. An attacker could leverage this vulnerability to execute arbitrary code.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-10-18
Published