Arbitrary file upload in Honeywell International, Inc products - CVE-2021-38397
Published: October 6, 2021
Vulnerability identifier: #VU57088
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2021-38397
CWE-ID: CWE-434
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Honeywell International, Inc
Affected software:
Experion Process Knowledge System C200
Experion Process Knowledge System C200E
Experion Process Knowledge System C300 and ACE controllers
Experion Process Knowledge System C200
Experion Process Knowledge System C200E
Experion Process Knowledge System C300 and ACE controllers
Detailed vulnerability description
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload. A remote attacker can upload a malicious file and execute it on the server.
How to mitigate CVE-2021-38397
Install updates from vendor's website.