CVE-2021-22804 – Schneider Electric IGSS dc.exe Missing Authentication Information Disclosure Vulnerability

https://notcve.org/view.php?id=CVE-2021-22804

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory vulnerability exists that could cause disclosure of arbitrary files being read in the context of the user running IGSS, due to missing validation of user supplied data in network messages. Affected Product: Interactive Graphical SCADA System Data Collector (dc.exe) (V15.0.0.21243 and prior) Una CWE-22: Se presenta una vulnerabilidad de Limitación Inapropiada de un Nombre de Ruta a un Directorio Restringido que podría causar la divulgación de archivos arbitrarios que son leídos en el contexto del usuario que ejecuta IGSS, debido a una falta de comprobación de los datos suministrados por el usuario en los mensajes de red. Producto afectado: Interactive Graphical SCADA System Data Collector (dc.exe) (versiones V15.0.0.21243 y anteriores) This vulnerability allows remote attackers to disclose sensitive information on affected installations of Schneider Electric IGSS. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of TCP traffic by the dc.exe process. The issue results from the lack of authentication prior to allowing access to functionality. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-285-03 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •