Vulnerability Description
A remote code execution vulnerability exists in Schneider Electric's StruxureOn Gateway versions 1.1.3 and prior. Uploading a zip which contains carefully crafted metadata allows for the file to be uploaded to any directory on the host machine information which could lead to remote code execution.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Schneider-Electric | Struxureon Gateway | <= 1.1.3 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/103052Third Party AdvisoryVDB Entry
- https://ics-cert.us-cert.gov/advisories/ICSA-18-046-04MitigationThird Party AdvisoryUS Government Resource
- https://www.schneider-electric.com/en/download/document/SEVD-2018-039-01/Vendor Advisory
- http://www.securityfocus.com/bid/103052Third Party AdvisoryVDB Entry
- https://ics-cert.us-cert.gov/advisories/ICSA-18-046-04MitigationThird Party AdvisoryUS Government Resource
- https://www.schneider-electric.com/en/download/document/SEVD-2018-039-01/Vendor Advisory
FAQ
What is CVE-2017-9970?
CVE-2017-9970 is a vulnerability with a CVSS score of 7.2 (HIGH). A remote code execution vulnerability exists in Schneider Electric's StruxureOn Gateway versions 1.1.3 and prior. Uploading a zip which contains carefully crafted metadata allows for the file to be up...
How severe is CVE-2017-9970?
CVE-2017-9970 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-9970?
Check the references section above for vendor advisories and patch information. Affected products include: Schneider-Electric Struxureon Gateway.