Vulnerability Description
The affected controllers do not properly sanitize the input containing code syntax. As a result, an attacker could craft code to alter the intended controller flow of the software.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Trane | Symbio 700 | < 1.00.0023 |
| Trane | Odyssey Split Systems | - |
| Trane | Symbio 800 | < 1.30.0008 |
| Trane | Intellipak 1 | - |
| Trane | Intellipak 2 | - |
| Trane | Ascend Air-Cooled Chiller Acr | - |
Related Weaknesses (CWE)
References
- https://us-cert.cisa.gov/ics/advisories/icsa-21-266-01MitigationThird Party AdvisoryUS Government Resource
- https://us-cert.cisa.gov/ics/advisories/icsa-21-266-01MitigationThird Party AdvisoryUS Government Resource
FAQ
What is CVE-2021-38448?
CVE-2021-38448 is a vulnerability with a CVSS score of 7.5 (HIGH). The affected controllers do not properly sanitize the input containing code syntax. As a result, an attacker could craft code to alter the intended controller flow of the software.
How severe is CVE-2021-38448?
CVE-2021-38448 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-38448?
Check the references section above for vendor advisories and patch information. Affected products include: Trane Symbio 700, Trane Odyssey Split Systems, Trane Symbio 800, Trane Intellipak 1, Trane Intellipak 2.