Vulnerabilites related to CODESYS - CODESYS Git
cve-2021-34599
Vulnerability from cvelistv5
Published
2021-12-01 09:00
Modified
2024-09-17 02:32
Severity ?
EPSS score ?
Summary
Affected versions of CODESYS Git in Versions prior to V1.1.0.0 lack certificate validation in HTTPS handshakes. CODESYS Git does not implement certificate validation by default, so it does not verify that the server provides a valid and trusted HTTPS certificate. Since the certificate of the server to which the connection is made is not properly verified, the server connection is vulnerable to a man-in-the-middle attack.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CODESYS | CODESYS Git |
Version: CODESYS Git < V1.1.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:19:47.030Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=16959\u0026token=3ce11e44a3277c4520d732ea2e630f2e06bd46ff\u0026download"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CODESYS Git",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "V1.1.0.0",
"status": "affected",
"version": "CODESYS Git",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-12-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of CODESYS Git in Versions prior to V1.1.0.0 lack certificate validation in HTTPS handshakes. CODESYS Git does not implement certificate validation by default, so it does not verify that the server provides a valid and trusted HTTPS certificate. Since the certificate of the server to which the connection is made is not properly verified, the server connection is vulnerable to a man-in-the-middle attack."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-01T09:00:15",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=16959\u0026token=3ce11e44a3277c4520d732ea2e630f2e06bd46ff\u0026download"
}
],
"solutions": [
{
"lang": "en",
"value": "CODESYS GmbH has released CODESYS Git V1.1.0.0 to solve this vulnerability issue.\nCODESYS Git V1.1.0.0 can be downloaded and installed directly with the CODESYS Installer. CODESYS Git\nrequires a CODESYS Development System version of V3.5.17.0 or newer."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Improper Certificate Validation in CODESYS Git",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "info@cert.vde.com",
"DATE_PUBLIC": "2021-12-01T07:00:00.000Z",
"ID": "CVE-2021-34599",
"STATE": "PUBLIC",
"TITLE": "Improper Certificate Validation in CODESYS Git"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CODESYS Git",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "CODESYS Git",
"version_value": "V1.1.0.0"
}
]
}
}
]
},
"vendor_name": "CODESYS"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of CODESYS Git in Versions prior to V1.1.0.0 lack certificate validation in HTTPS handshakes. CODESYS Git does not implement certificate validation by default, so it does not verify that the server provides a valid and trusted HTTPS certificate. Since the certificate of the server to which the connection is made is not properly verified, the server connection is vulnerable to a man-in-the-middle attack."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-295 Improper Certificate Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=16959\u0026token=3ce11e44a3277c4520d732ea2e630f2e06bd46ff\u0026download",
"refsource": "CONFIRM",
"url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=16959\u0026token=3ce11e44a3277c4520d732ea2e630f2e06bd46ff\u0026download"
}
]
},
"solution": [
{
"lang": "en",
"value": "CODESYS GmbH has released CODESYS Git V1.1.0.0 to solve this vulnerability issue.\nCODESYS Git V1.1.0.0 can be downloaded and installed directly with the CODESYS Installer. CODESYS Git\nrequires a CODESYS Development System version of V3.5.17.0 or newer."
}
],
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2021-34599",
"datePublished": "2021-12-01T09:00:15.883759Z",
"dateReserved": "2021-06-10T00:00:00",
"dateUpdated": "2024-09-17T02:32:29.181Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}