Vulnerability-Lookup

CVE-2021-20826 (GCVE-0-2021-20826)

Vulnerability from cvelistv5 – Published: 2021-12-24 06:30 – Updated: 2024-08-03 17:53

Summary

Unprotected transport of credentials vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from the communication between the PLC and the software. As a result, the complete access privileges to the PLC Web server may be obtained, and manipulation of the PLC output and/or suspension of the PLC may be conducted.

Severity ?

No CVSS data available.

CWE

Unprotected transport of credentials

Assigner

jpcert

References

URL

	Vendor	Product	Version
	IDEC Corporation	IDEC PLC	Affected: FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier

GHSA-V3CV-2J8P-P6XH

Vulnerability from github – Published: 2021-12-25 00:00 – Updated: 2022-01-12 00:02

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-20826"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-24T07:15:00Z",
    "severity": "HIGH"
  },
  "details": "Unprotected transport of credentials vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from the communication between the PLC and the software. As a result, the complete access privileges to the PLC Web server may be obtained, and manipulation of the PLC output and/or suspension of the PLC may be conducted.",
  "id": "GHSA-v3cv-2j8p-p6xh",
  "modified": "2022-01-12T00:02:16Z",
  "published": "2021-12-25T00:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20826"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU92279973/index.html"
    },
    {
      "type": "WEB",
      "url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GSD-2021-20826

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-20826

Aliases

CVE-2021-20826

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-20826",
    "description": "Unprotected transport of credentials vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from the communication between the PLC and the software. As a result, the complete access privileges to the PLC Web server may be obtained, and manipulation of the PLC output and/or suspension of the PLC may be conducted.",
    "id": "GSD-2021-20826"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-20826"
      ],
      "details": "Unprotected transport of credentials vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from the communication between the PLC and the software. As a result, the complete access privileges to the PLC Web server may be obtained, and manipulation of the PLC output and/or suspension of the PLC may be conducted.",
      "id": "GSD-2021-20826",
      "modified": "2023-12-13T01:23:11.945087Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "vultures@jpcert.or.jp",
        "ID": "CVE-2021-20826",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "IDEC PLC",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "IDEC Corporation"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Unprotected transport of credentials vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from the communication between the PLC and the software. As a result, the complete access privileges to the PLC Web server may be obtained, and manipulation of the PLC output and/or suspension of the PLC may be conducted."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Unprotected transport of credentials"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf",
            "refsource": "MISC",
            "url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
          },
          {
            "name": "https://jvn.jp/en/vu/JVNVU92279973/index.html",
            "refsource": "MISC",
            "url": "https://jvn.jp/en/vu/JVNVU92279973/index.html"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:idec:microsmart_fc6a_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "2.32",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:idec:microsmart_fc6a:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:idec:microsmart_plus_fc6a_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "1.91",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:idec:microsmart_plus_fc6a:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:idec:data_file_manager:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.12.1",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:idec:windedit:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "1.3.1",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:idec:windldr:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "8.19.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "vultures@jpcert.or.jp",
          "ID": "CVE-2021-20826"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Unprotected transport of credentials vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from the communication between the PLC and the software. As a result, the complete access privileges to the PLC Web server may be obtained, and manipulation of the PLC output and/or suspension of the PLC may be conducted."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-522"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
            },
            {
              "name": "https://jvn.jp/en/vu/JVNVU92279973/index.html",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://jvn.jp/en/vu/JVNVU92279973/index.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "ADJACENT_NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 3.3,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 6.5,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 4.7
        }
      },
      "lastModifiedDate": "2022-01-11T18:18Z",
      "publishedDate": "2021-12-24T07:15Z"
    }
  }
}

FKIE_CVE-2021-20826

Vulnerability from fkie_nvd - Published: 2021-12-24 07:15 - Updated: 2024-11-21 05:47

Severity ?

7.6 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Summary

References

URL	Tags
vultures@jpcert.or.jp	https://jvn.jp/en/vu/JVNVU92279973/index.html	Third Party Advisory
vultures@jpcert.or.jp	https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://jvn.jp/en/vu/JVNVU92279973/index.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf	Vendor Advisory

Impacted products

Vendor	Product	Version
idec	microsmart_fc6a_firmware	*
idec	microsmart_fc6a	-
idec	microsmart_plus_fc6a_firmware	*
idec	microsmart_plus_fc6a	-
idec	data_file_manager	*
idec	windedit	*
idec	windldr	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:idec:microsmart_fc6a_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "59A9BAF0-7AFD-4918-81E2-6949B71E4208",
              "versionEndIncluding": "2.32",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:idec:microsmart_fc6a:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "892DE7A7-7D54-4EE5-97B7-2B8A0B190DFB",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:idec:microsmart_plus_fc6a_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "01FFD59B-27E0-4D27-A339-FE78D7407C02",
              "versionEndIncluding": "1.91",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:idec:microsmart_plus_fc6a:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "6CFD58FF-AAE9-47F8-971C-442E2E8C4499",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:idec:data_file_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5E7A2720-6B29-4BD1-B85B-293850D804A8",
              "versionEndIncluding": "2.12.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:idec:windedit:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FA314D4B-B187-4238-B341-E2B9F94EBEBA",
              "versionEndIncluding": "1.3.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:idec:windldr:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7ED0922F-93CB-41B3-A468-44845F428945",
              "versionEndIncluding": "8.19.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Unprotected transport of credentials vulnerability in IDEC PLCs (FC6A Series MICROSmart All-in-One CPU module v2.32 and earlier, FC6A Series MICROSmart Plus CPU module v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, and Data File Manager v2.12.1 and earlier) allows an attacker to obtain the PLC Web server user credentials from the communication between the PLC and the software. As a result, the complete access privileges to the PLC Web server may be obtained, and manipulation of the PLC output and/or suspension of the PLC may be conducted."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de transporte de credenciales sin protecci\u00f3n en los PLC de IDEC (m\u00f3dulo de CPU MICROSmart All-in-One de la serie FC6A versiones v2.32 y anteriores, m\u00f3dulo de CPU MICROSmart Plus de la serie FC6A versiones v1.91 y anteriores, WindLDR versiones 8.19.1 y anteriores, WindEDIT Lite versiones v1.3.1 y anteriores, y Data File Manager versiones v2.12.1 y anteriores) permite a un atacante obtener las credenciales de usuario del servidor web del PLC a partir de la comunicaci\u00f3n entre el PLC y el software. Como resultado, pueden obtenerse los privilegios de acceso completo al servidor web del PLC, y es posible manipular la salida del PLC y/o suspenderlo"
    }
  ],
  "id": "CVE-2021-20826",
  "lastModified": "2024-11-21T05:47:14.313",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "ADJACENT_NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 3.3,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 6.5,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-12-24T07:15:06.510",
  "references": [
    {
      "source": "vultures@jpcert.or.jp",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://jvn.jp/en/vu/JVNVU92279973/index.html"
    },
    {
      "source": "vultures@jpcert.or.jp",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://jvn.jp/en/vu/JVNVU92279973/index.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf"
    }
  ],
  "sourceIdentifier": "vultures@jpcert.or.jp",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-522"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

JVNDB-2021-006117

Vulnerability from jvndb - Published: 2021-12-27 16:54 - Updated:2022-01-11 16:36

Severity ?

7.6 (High) - cvssV3_0 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Summary

Multiple vulnerabilities in IDEC PLCs

Details

Multiple PLCs provided by IDEC Corporation contain multiple vulnerabilities listed below. * Unprotected transport of credentials (CWE-523) - CVE-2021-37400 * Plaintext storage of a password (CWE-256) - CVE-2021-37401 * Unprotected transport of credentials (CWE-523) - CVE-2021-20826 * Plaintext storage of a password (CWE-256) - CVE-2021-20827 Khalid Ansari of FM Approvals reported these vulnerabilities to IDEC Corporation, and IDEC Corporation reported the case to JPCERT/CC and coordinated in order to notify users of the solutions through JVN.

References

Type

URL

	JVN	https://jvn.jp/en/vu/JVNVU92279973/index.html
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37400
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37401
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20826
	CVE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20827
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-20826
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-20827
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-37400
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-37401
	ICS-CERT ADVISORY	https://www.cisa.gov/uscert/ics/advisories/icsa-22-006-03
	Unprotected Storage of Credentials(CWE-256)	https://cwe.mitre.org/data/definitions/256.html
	Unprotected Transport of Credentials(CWE-523)	https://cwe.mitre.org/data/definitions/523.html

Impacted products

Vendor

Product

	IDEC Corporation	Data File Manager
	IDEC Corporation	WindEDIT Lite
	IDEC Corporation	WindLDR
	IDEC Corporation	FT1A Controller SmartAXIS Pro/Lite
	IDEC Corporation	FC6A MICROSmart All-in-One CPU Module
	IDEC Corporation	FC6B MICROSmart All-in-One CPU Module
	IDEC Corporation	FC6A MICROSmart Plus CPU Module
	IDEC Corporation	FC6B MICROSmart Plus CPU Module

Show details on JVN DB website

JSON

To clipboard

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-006117.html",
  "dc:date": "2022-01-11T16:36+09:00",
  "dcterms:issued": "2021-12-27T16:54+09:00",
  "dcterms:modified": "2022-01-11T16:36+09:00",
  "description": "Multiple PLCs provided by IDEC Corporation contain multiple vulnerabilities listed below.\r\n\r\n* Unprotected transport of credentials (CWE-523) - CVE-2021-37400\r\n* Plaintext storage of a password (CWE-256) - CVE-2021-37401\r\n* Unprotected transport of credentials (CWE-523) - CVE-2021-20826\r\n* Plaintext storage of a password (CWE-256) - CVE-2021-20827\r\n\r\nKhalid Ansari of FM Approvals reported these vulnerabilities to IDEC Corporation, and IDEC Corporation reported\r\nthe case to JPCERT/CC and coordinated in order to notify users of the solutions through JVN.",
  "link": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-006117.html",
  "sec:cpe": [
    {
      "#text": "cpe:/a:idec:data_file_manager",
      "@product": "Data File Manager",
      "@vendor": "IDEC Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:idec:windedit",
      "@product": "WindEDIT Lite",
      "@vendor": "IDEC Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:idec:windldr",
      "@product": "WindLDR",
      "@vendor": "IDEC Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:idec:ft1a_smartaxix_pro_firmware",
      "@product": "FT1A Controller SmartAXIS Pro/Lite",
      "@vendor": "IDEC Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:idec:microsmart_fc6a_firmware",
      "@product": "FC6A MICROSmart All-in-One CPU Module",
      "@vendor": "IDEC Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:idec:microsmart_fc6b_firmware",
      "@product": "FC6B MICROSmart All-in-One CPU Module",
      "@vendor": "IDEC Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:idec:microsmart_plus_fc6a_firmware",
      "@product": "FC6A MICROSmart Plus CPU Module",
      "@vendor": "IDEC Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:idec:microsmart_plus_fc6b_firmware",
      "@product": "FC6B MICROSmart Plus CPU Module",
      "@vendor": "IDEC Corporation",
      "@version": "2.2"
    }
  ],
  "sec:cvss": [
    {
      "@score": "7.5",
      "@severity": "High",
      "@type": "Base",
      "@vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
      "@version": "2.0"
    },
    {
      "@score": "7.6",
      "@severity": "High",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2021-006117",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/vu/JVNVU92279973/index.html",
      "@id": "JVNVU#92279973",
      "@source": "JVN"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37400",
      "@id": "CVE-2021-37400",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37401",
      "@id": "CVE-2021-37401",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20826",
      "@id": "CVE-2021-20826",
      "@source": "CVE"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20827",
      "@id": "CVE-2021-20827",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20826",
      "@id": "CVE-2021-20826",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20827",
      "@id": "CVE-2021-20827",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-37400",
      "@id": "CVE-2021-37400",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-37401",
      "@id": "CVE-2021-37401",
      "@source": "NVD"
    },
    {
      "#text": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-006-03",
      "@id": "ICSA-22-006-03",
      "@source": "ICS-CERT ADVISORY"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/256.html",
      "@id": "CWE-256",
      "@title": "Unprotected Storage of Credentials(CWE-256)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/523.html",
      "@id": "CWE-523",
      "@title": "Unprotected Transport of Credentials(CWE-523)"
    }
  ],
  "title": "Multiple vulnerabilities in IDEC PLCs"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-20826 (GCVE-0-2021-20826)

GHSA-V3CV-2J8P-P6XH

GSD-2021-20826

FKIE_CVE-2021-20826

JVNDB-2021-006117

Tags

Sightings

Nomenclature