Codesys V2 vulnerabilities

7 known vulnerabilities affecting codesys/codesys_v2.

Total CVEs

7

CISA KEV

0

Public exploits

0

Exploited in wild

0

Severity breakdown

CRITICAL1HIGH5MEDIUM1

Vulnerabilities

Page 1 of 1

CVE-2021-34584CRITICALCVSS 9.1≥ all web servers, < V1.1.9.222021-10-26

CVE-2021-34584 [CRITICAL] CWE-126 CVE-2021-34584: Crafted web server requests can be utilised to read partial stack or heap memory or may trigger a de Crafted web server requests can be utilised to read partial stack or heap memory or may trigger a denial-of- service condition due to a crash in the CODESYS V2 web server prior to V1.1.9.22.

CVE-2021-34585HIGHCVSS 7.5≥ all web servers, < V1.1.9.222021-10-26

CVE-2021-34585 [HIGH] CWE-252 CVE-2021-34585: In the CODESYS V2 web server prior to V1.1.9.22 crafted web server requests can trigger a parser err In the CODESYS V2 web server prior to V1.1.9.22 crafted web server requests can trigger a parser error. Since the parser result is not checked under all conditions, a pointer dereference with an invalid address can occur. This leads to a denial of service situation.

CVE-2021-34595HIGHCVSS 8.1≥ Runtime Toolkit 32 bit full, < V2.4.7.56≥ PLCWinNT, < V2.4.7.562021-10-26

CVE-2021-34595 [HIGH] CWE-823 CVE-2021-34595: A crafted request with invalid offsets may cause an out-of-bounds read or write access in CODESYS V2 A crafted request with invalid offsets may cause an out-of-bounds read or write access in CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56, resulting in a denial-of-service condition or local memory overwrite.

CVE-2021-34593HIGHCVSS 7.5≥ Runtime Toolkit 32 bit full, < V2.4.7.56≥ PLCWinNT, < V2.4.7.562021-10-26

CVE-2021-34593 [HIGH] CWE-755 CVE-2021-34593: In CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56 unauthenticated c In CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56 unauthenticated crafted invalid requests may result in several denial-of-service conditions. Running PLC programs may be stopped, memory may be leaked, or further communication clients may be blocked from accessing the PLC.

CVE-2021-34583HIGHCVSS 7.5≥ all web servers, < V1.1.9.222021-10-26

CVE-2021-34583 [HIGH] CWE-122 CVE-2021-34583: Crafted web server requests may cause a heap-based buffer overflow and could therefore trigger a den Crafted web server requests may cause a heap-based buffer overflow and could therefore trigger a denial-of- service condition due to a crash in the CODESYS V2 web server prior to V1.1.9.22.

CVE-2021-34586HIGHCVSS 7.5≥ all web servers, < V1.1.9.222021-10-26

CVE-2021-34586 [HIGH] CWE-476 CVE-2021-34586: In the CODESYS V2 web server prior to V1.1.9.22 crafted web server requests may cause a Null pointer In the CODESYS V2 web server prior to V1.1.9.22 crafted web server requests may cause a Null pointer dereference in the CODESYS web server and may result in a denial-of-service condition.

CVE-2021-34596MEDIUMCVSS 6.5≥ Runtime Toolkit 32 bit full, < V2.4.7.56≥ PLCWinNT, < V2.4.7.562021-10-26

CVE-2021-34596 [MEDIUM] CWE-824 CVE-2021-34596: A crafted request may cause a read access to an uninitialized pointer in CODESYS V2 Runtime Toolkit A crafted request may cause a read access to an uninitialized pointer in CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56, resulting in a denial-of-service condition.