Lucene search

SchneiderCVELIST:CVE-2022-42971

HistoryFeb 01, 2023 - 12:00 a.m.

CVE-2022-42971

2023-02-0100:00:00

CWE-434

schneider

www.cve.org

cwe-434

remote code execution

file upload

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.8

Confidence

High

EPSS

0.004

Percentile

74.2%

JSON

A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could cause remote code execution when the attacker uploads a malicious JSP file. Affected Products: APC Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GA), APC Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GA-01-22261), Schneider Electric Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GS), Schneider Electric Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GS-01-22261)

CNA Affected

[
  {
    "vendor": "Schneider Electric",
    "product": "APC Easy UPS Online Monitoring Software",
    "versions": [
      {
        "version": "Windows 7, 10, 11 Windows Server 2016, 2019, 2022",
        "status": "affected",
        "lessThan": "V2.5-GA",
        "versionType": "custom"
      }
    ]
  },
  {
    "vendor": "Schneider Electric",
    "product": "APC Easy UPS Online Monitoring Software",
    "versions": [
      {
        "version": "(Windows 11, Windows Server 2019, 2022",
        "status": "affected",
        "lessThan": "V2.5-GA-01-22261",
        "versionType": "custom"
      }
    ]
  },
  {
    "vendor": "Schneider Electric",
    "product": "Schneider Electric Easy UPS Online Monitoring Software",
    "versions": [
      {
        "version": "Windows 7, 10, 11 Windows Server 2016, 2019, 2022",
        "status": "affected",
        "lessThan": "V2.5-GS",
        "versionType": "custom"
      }
    ]
  },
  {
    "vendor": "Schneider Electric",
    "product": "Schneider Electric Easy UPS Online Monitoring Software",
    "versions": [
      {
        "version": "Windows 11, Windows Server 2019, 2022",
        "status": "affected",
        "lessThan": "V2.5-GS-01-22261",
        "versionType": "custom"
      }
    ]
  }
]

References

download.schneider-electric.com/files?p_Doc_SEVD-2022-347-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-347-01_Easy_UPS_Online_Monitoring_Software_Security_Notification.pdf

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.8

Confidence

High

EPSS

0.004

Percentile

74.2%

JSON

Related for CVELIST:CVE-2022-42971