Vulnerability Description
The affected controllers do not properly sanitize the input containing code syntax. As a result, an attacker could craft code to alter the intended controller flow of the software.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Trane | Tracer Concierge | < 5.5 |
| Trane | Tracer Sc Firmware | < 4.4 |
| Trane | Tracer Sc | - |
| Trane | Tracer Sc\+ Firmware | < 5.5 |
| Trane | Tracer Sc\+ | - |
Related Weaknesses (CWE)
References
- https://us-cert.cisa.gov/ics/advisories/icsa-21-266-02Third Party AdvisoryUS Government Resource
- https://us-cert.cisa.gov/ics/advisories/icsa-21-266-02Third Party AdvisoryUS Government Resource
FAQ
What is CVE-2021-38450?
CVE-2021-38450 is a vulnerability with a CVSS score of 9.9 (CRITICAL). The affected controllers do not properly sanitize the input containing code syntax. As a result, an attacker could craft code to alter the intended controller flow of the software.
How severe is CVE-2021-38450?
CVE-2021-38450 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-38450?
Check the references section above for vendor advisories and patch information. Affected products include: Trane Tracer Concierge, Trane Tracer Sc Firmware, Trane Tracer Sc, Trane Tracer Sc\+ Firmware, Trane Tracer Sc\+.