Search

Find a vulnerability

Search criteria

    16 vulnerabilities found for Experion PKS by Honeywell

    CVE-2021-38399 (GCVE-0-2021-38399)

    Vulnerability from nvd – Published: 2022-10-28 01:19 – Updated: 2025-04-16 16:07
    VLAI
    Title
    Honeywell Experion PKS and ACE Controllers Relative Path Traversal
    Summary
    Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to relative path traversal, which may allow an attacker access to unauthorized files and directories.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-23 - Relative Path Traversal
    Assigner
    Impacted products
    Vendor Product Version
    Honeywell Experion PKS Affected: C200
    Affected: C200E
    Affected: C300
    Affected: ACE controllers
    Create a notification for this product.
    Date Public
    2021-10-05 00:00
    Credits
    Rei Henigman and Nadav Erez of Claroty reported these vulnerabilities to CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T01:37:16.579Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-38399",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:53:50.707446Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:07:59.274Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Experion PKS",
              "vendor": "Honeywell",
              "versions": [
                {
                  "status": "affected",
                  "version": "C200"
                },
                {
                  "status": "affected",
                  "version": "C200E"
                },
                {
                  "status": "affected",
                  "version": "C300"
                },
                {
                  "status": "affected",
                  "version": "ACE controllers"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Rei Henigman and Nadav Erez of Claroty reported these vulnerabilities to CISA."
            }
          ],
          "datePublic": "2021-10-05T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to relative path traversal, which may allow an attacker access to unauthorized files and directories."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "CWE-23: Relative Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-10-28T00:00:00.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04"
            },
            {
              "url": "https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Honeywell Experion PKS and ACE Controllers Relative Path Traversal",
          "workarounds": [
            {
              "lang": "en",
              "value": "Honeywell recommends users follow all guidance in the Experion Network and Security Planning Guide to prevent attacks by malicious actors.\n\nAdditional information can be found in Honeywell Support document SN2021-02-22-01."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2021-38399",
        "datePublished": "2022-10-28T01:19:02.691Z",
        "dateReserved": "2021-08-10T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:07:59.274Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-38397 (GCVE-0-2021-38397)

    Vulnerability from nvd – Published: 2022-10-28 01:21 – Updated: 2025-04-16 16:07
    VLAI
    Title
    Honeywell Experion PKS and ACE Controllers Unrestricted Upload of File with Dangerous Type
    Summary
    Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to unrestricted file uploads, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Vendor Product Version
    Honeywell Experion PKS Affected: C200
    Affected: C200E
    Affected: C300
    Affected: ACE controllers
    Create a notification for this product.
    Date Public
    2021-10-05 00:00
    Credits
    Rei Henigman and Nadav Erez of Claroty reported these vulnerabilities to CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T01:37:16.577Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-38397",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:53:15.692298Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:07:44.758Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Experion PKS",
              "vendor": "Honeywell",
              "versions": [
                {
                  "status": "affected",
                  "version": "C200"
                },
                {
                  "status": "affected",
                  "version": "C200E"
                },
                {
                  "status": "affected",
                  "version": "C300"
                },
                {
                  "status": "affected",
                  "version": "ACE controllers"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Rei Henigman and Nadav Erez of Claroty reported these vulnerabilities to CISA."
            }
          ],
          "datePublic": "2021-10-05T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to unrestricted file uploads, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-10-28T00:00:00.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04"
            },
            {
              "url": "https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Honeywell Experion PKS and ACE Controllers Unrestricted Upload of File with Dangerous Type",
          "workarounds": [
            {
              "lang": "en",
              "value": "Honeywell recommends users follow all guidance in the Experion Network and Security Planning Guide to prevent attacks by malicious actors.\n\nAdditional information can be found in Honeywell Support document SN2021-02-22-01."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2021-38397",
        "datePublished": "2022-10-28T01:21:35.576Z",
        "dateReserved": "2021-08-10T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:07:44.758Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-38395 (GCVE-0-2021-38395)

    Vulnerability from nvd – Published: 2022-10-28 01:20 – Updated: 2025-04-16 16:07
    VLAI
    Title
    Honeywell Experion PKS and ACE Controllers Injection
    Summary
    Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to improper neutralization of special elements in output, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Honeywell Experion PKS Affected: C200
    Affected: C200E
    Affected: C300
    Affected: ACE controllers
    Create a notification for this product.
    Date Public
    2021-10-05 00:00
    Credits
    Rei Henigman and Nadav Erez of Claroty reported these vulnerabilities to CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T01:37:16.588Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-38395",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:53:47.454539Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:07:52.218Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Experion PKS",
              "vendor": "Honeywell",
              "versions": [
                {
                  "status": "affected",
                  "version": "C200"
                },
                {
                  "status": "affected",
                  "version": "C200E"
                },
                {
                  "status": "affected",
                  "version": "C300"
                },
                {
                  "status": "affected",
                  "version": "ACE controllers"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Rei Henigman and Nadav Erez of Claroty reported these vulnerabilities to CISA."
            }
          ],
          "datePublic": "2021-10-05T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to improper neutralization of special elements in output, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "CWE-74: Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-10-28T00:00:00.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04"
            },
            {
              "url": "https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Honeywell Experion PKS and ACE Controllers Injection",
          "workarounds": [
            {
              "lang": "en",
              "value": "Honeywell recommends users follow all guidance in the Experion Network and Security Planning Guide to prevent attacks by malicious actors.\n\nAdditional information can be found in Honeywell Support document SN2021-02-22-01."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2021-38395",
        "datePublished": "2022-10-28T01:20:24.175Z",
        "dateReserved": "2021-08-10T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:07:52.218Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2014-9186 (GCVE-0-2014-9186)

    Vulnerability from nvd – Published: 2019-04-08 15:09 – Updated: 2024-08-06 13:40
    VLAI
    Summary
    A file inclusion vulnerability exists in the confd.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, which could lead to accepting an arbitrary file into the function, and potential information disclosure or remote code execution. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version.
    Severity
    No CVSS data available.
    CWE
    • CWE-98 - File inclusion CWE-98
    Assigner
    References
    Impacted products
    Vendor Product Version
    Honeywell Experion PKS Affected: R40x before R400.6
    Affected: R41x before R410.6
    Affected: R43x before R430.2
    Create a notification for this product.
    Date Public
    2014-12-18 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T13:40:24.560Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Experion PKS",
              "vendor": "Honeywell",
              "versions": [
                {
                  "status": "affected",
                  "version": "R40x before R400.6"
                },
                {
                  "status": "affected",
                  "version": "R41x before R410.6"
                },
                {
                  "status": "affected",
                  "version": "R43x before R430.2"
                }
              ]
            }
          ],
          "datePublic": "2014-12-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A file inclusion vulnerability exists in the confd.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, which could lead to accepting an arbitrary file into the function, and potential information disclosure or remote code execution. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-98",
                  "description": "File inclusion CWE-98",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-04-08T15:09:55.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2014-9186",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Experion PKS",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "R40x before R400.6"
                              },
                              {
                                "version_value": "R41x before R410.6"
                              },
                              {
                                "version_value": "R43x before R430.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Honeywell"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A file inclusion vulnerability exists in the confd.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, which could lead to accepting an arbitrary file into the function, and potential information disclosure or remote code execution. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "File inclusion CWE-98"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01",
                  "refsource": "MISC",
                  "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2014-9186",
        "datePublished": "2019-04-08T15:09:55.000Z",
        "dateReserved": "2014-12-02T00:00:00.000Z",
        "dateUpdated": "2024-08-06T13:40:24.560Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2014-5436 (GCVE-0-2014-5436)

    Vulnerability from nvd – Published: 2019-04-08 15:18 – Updated: 2024-08-06 11:41
    VLAI
    Summary
    A directory traversal vulnerability exists in the confd.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, which could lead to possible information disclosure. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version.
    Severity
    No CVSS data available.
    CWE
    • CWE-22 - Directory traversal CWE-22
    Assigner
    References
    Impacted products
    Vendor Product Version
    Honeywell Experion PKS Affected: R40x before R400.6
    Affected: R41x before R410.6
    Affected: R43x before R430.2
    Create a notification for this product.
    Date Public
    2014-12-18 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T11:41:49.329Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Experion PKS",
              "vendor": "Honeywell",
              "versions": [
                {
                  "status": "affected",
                  "version": "R40x before R400.6"
                },
                {
                  "status": "affected",
                  "version": "R41x before R410.6"
                },
                {
                  "status": "affected",
                  "version": "R43x before R430.2"
                }
              ]
            }
          ],
          "datePublic": "2014-12-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A directory traversal vulnerability exists in the confd.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, which could lead to possible information disclosure. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Directory traversal CWE-22",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-04-08T15:18:41.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2014-5436",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Experion PKS",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "R40x before R400.6"
                              },
                              {
                                "version_value": "R41x before R410.6"
                              },
                              {
                                "version_value": "R43x before R430.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Honeywell"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A directory traversal vulnerability exists in the confd.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, which could lead to possible information disclosure. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Directory traversal CWE-22"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01",
                  "refsource": "MISC",
                  "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2014-5436",
        "datePublished": "2019-04-08T15:18:41.000Z",
        "dateReserved": "2014-08-22T00:00:00.000Z",
        "dateUpdated": "2024-08-06T11:41:49.329Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2014-5435 (GCVE-0-2014-5435)

    Vulnerability from nvd – Published: 2019-04-08 15:25 – Updated: 2024-08-06 11:41
    VLAI
    Summary
    An arbitrary memory write vulnerability exists in the dual_onsrv.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, that could lead to possible remote code execution or denial of service. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version.
    Severity
    No CVSS data available.
    CWE
    • CWE-123 - Arbitrary memory write CWE-123
    Assigner
    References
    Impacted products
    Vendor Product Version
    Honeywell Experion PKS Affected: R40x before R400.6
    Affected: R41x before R410.6
    Affected: R43x before R430.2
    Create a notification for this product.
    Date Public
    2014-12-18 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T11:41:49.065Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Experion PKS",
              "vendor": "Honeywell",
              "versions": [
                {
                  "status": "affected",
                  "version": "R40x before R400.6"
                },
                {
                  "status": "affected",
                  "version": "R41x before R410.6"
                },
                {
                  "status": "affected",
                  "version": "R43x before R430.2"
                }
              ]
            }
          ],
          "datePublic": "2014-12-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An arbitrary memory write vulnerability exists in the dual_onsrv.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, that could lead to possible remote code execution or denial of service. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-123",
                  "description": "Arbitrary memory write CWE-123",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-04-08T15:25:17.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2014-5435",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Experion PKS",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "R40x before R400.6"
                              },
                              {
                                "version_value": "R41x before R410.6"
                              },
                              {
                                "version_value": "R43x before R430.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Honeywell"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An arbitrary memory write vulnerability exists in the dual_onsrv.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, that could lead to possible remote code execution or denial of service. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Arbitrary memory write CWE-123"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01",
                  "refsource": "MISC",
                  "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2014-5435",
        "datePublished": "2019-04-08T15:25:17.000Z",
        "dateReserved": "2014-08-22T00:00:00.000Z",
        "dateUpdated": "2024-08-06T11:41:49.065Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2014-9189 (GCVE-0-2014-9189)

    Vulnerability from nvd – Published: 2019-03-25 19:10 – Updated: 2024-08-06 13:40
    VLAI
    Summary
    Multiple stack-based buffer overflow vulnerabilities were found in Honeywell Experion PKS all versions prior to R400.6, all versions prior to R410.6, and all versions prior to R430.2 modules that could lead to possible remote code execution, dynamic memory corruption, or denial of service. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version.
    Severity
    No CVSS data available.
    CWE
    • CWE-121 - Stack-based buffer overflow CWE-121
    Assigner
    References
    Impacted products
    Vendor Product Version
    Honeywell Experion PKS Affected: R40x prior to R400.6
    Affected: R41x prior to R410.6
    Affected: R43x prior to R430.2
    Create a notification for this product.
    Date Public
    2014-12-18 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T13:40:23.163Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Experion PKS",
              "vendor": "Honeywell",
              "versions": [
                {
                  "status": "affected",
                  "version": "R40x prior to R400.6"
                },
                {
                  "status": "affected",
                  "version": "R41x prior to R410.6"
                },
                {
                  "status": "affected",
                  "version": "R43x prior to R430.2"
                }
              ]
            }
          ],
          "datePublic": "2014-12-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Multiple stack-based buffer overflow vulnerabilities were found in Honeywell Experion PKS all versions prior to R400.6, all versions prior to R410.6, and all versions prior to R430.2 modules that could lead to possible remote code execution, dynamic memory corruption, or denial of service. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "Stack-based buffer overflow CWE-121",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-03-25T19:10:47.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2014-9189",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Experion PKS",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "R40x prior to R400.6"
                              },
                              {
                                "version_value": "R41x prior to R410.6"
                              },
                              {
                                "version_value": "R43x prior to R430.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Honeywell"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Multiple stack-based buffer overflow vulnerabilities were found in Honeywell Experion PKS all versions prior to R400.6, all versions prior to R410.6, and all versions prior to R430.2 modules that could lead to possible remote code execution, dynamic memory corruption, or denial of service. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Stack-based buffer overflow CWE-121"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01",
                  "refsource": "MISC",
                  "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2014-9189",
        "datePublished": "2019-03-25T19:10:47.000Z",
        "dateReserved": "2014-12-02T00:00:00.000Z",
        "dateUpdated": "2024-08-06T13:40:23.163Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2014-9187 (GCVE-0-2014-9187)

    Vulnerability from nvd – Published: 2019-03-25 19:19 – Updated: 2024-08-06 13:40
    VLAI
    Summary
    Multiple heap-based buffer overflow vulnerabilities exist in Honeywell Experion PKS all versions prior to R400.6, all versions prior to R410.6, and all versions prior to R430.2 modules, which could lead to possible remote code execution or denial of service. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version.
    Severity
    No CVSS data available.
    CWE
    • CWE-122 - Heap-based buffer overflow CWE-122
    Assigner
    References
    Impacted products
    Vendor Product Version
    Honeywell Experion PKS Affected: R40x prior to R400.6
    Affected: R41x prior to R410.6
    Affected: R43x prior to R430.2
    Create a notification for this product.
    Date Public
    2014-12-18 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T13:40:24.531Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Experion PKS",
              "vendor": "Honeywell",
              "versions": [
                {
                  "status": "affected",
                  "version": "R40x prior to R400.6"
                },
                {
                  "status": "affected",
                  "version": "R41x prior to R410.6"
                },
                {
                  "status": "affected",
                  "version": "R43x prior to R430.2"
                }
              ]
            }
          ],
          "datePublic": "2014-12-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Multiple heap-based buffer overflow vulnerabilities exist in Honeywell Experion PKS all versions prior to R400.6, all versions prior to R410.6, and all versions prior to R430.2 modules, which could lead to possible remote code execution or denial of service. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "Heap-based buffer overflow CWE-122",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-03-25T19:19:10.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2014-9187",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Experion PKS",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "R40x prior to R400.6"
                              },
                              {
                                "version_value": "R41x prior to R410.6"
                              },
                              {
                                "version_value": "R43x prior to R430.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Honeywell"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Multiple heap-based buffer overflow vulnerabilities exist in Honeywell Experion PKS all versions prior to R400.6, all versions prior to R410.6, and all versions prior to R430.2 modules, which could lead to possible remote code execution or denial of service. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Heap-based buffer overflow CWE-122"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01",
                  "refsource": "MISC",
                  "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2014-9187",
        "datePublished": "2019-03-25T19:19:10.000Z",
        "dateReserved": "2014-12-02T00:00:00.000Z",
        "dateUpdated": "2024-08-06T13:40:24.531Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-38397 (GCVE-0-2021-38397)

    Vulnerability from cvelistv5 – Published: 2022-10-28 01:21 – Updated: 2025-04-16 16:07
    VLAI
    Title
    Honeywell Experion PKS and ACE Controllers Unrestricted Upload of File with Dangerous Type
    Summary
    Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to unrestricted file uploads, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Vendor Product Version
    Honeywell Experion PKS Affected: C200
    Affected: C200E
    Affected: C300
    Affected: ACE controllers
    Create a notification for this product.
    Date Public
    2021-10-05 00:00
    Credits
    Rei Henigman and Nadav Erez of Claroty reported these vulnerabilities to CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T01:37:16.577Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-38397",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:53:15.692298Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:07:44.758Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Experion PKS",
              "vendor": "Honeywell",
              "versions": [
                {
                  "status": "affected",
                  "version": "C200"
                },
                {
                  "status": "affected",
                  "version": "C200E"
                },
                {
                  "status": "affected",
                  "version": "C300"
                },
                {
                  "status": "affected",
                  "version": "ACE controllers"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Rei Henigman and Nadav Erez of Claroty reported these vulnerabilities to CISA."
            }
          ],
          "datePublic": "2021-10-05T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to unrestricted file uploads, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-10-28T00:00:00.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04"
            },
            {
              "url": "https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Honeywell Experion PKS and ACE Controllers Unrestricted Upload of File with Dangerous Type",
          "workarounds": [
            {
              "lang": "en",
              "value": "Honeywell recommends users follow all guidance in the Experion Network and Security Planning Guide to prevent attacks by malicious actors.\n\nAdditional information can be found in Honeywell Support document SN2021-02-22-01."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2021-38397",
        "datePublished": "2022-10-28T01:21:35.576Z",
        "dateReserved": "2021-08-10T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:07:44.758Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-38395 (GCVE-0-2021-38395)

    Vulnerability from cvelistv5 – Published: 2022-10-28 01:20 – Updated: 2025-04-16 16:07
    VLAI
    Title
    Honeywell Experion PKS and ACE Controllers Injection
    Summary
    Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to improper neutralization of special elements in output, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Honeywell Experion PKS Affected: C200
    Affected: C200E
    Affected: C300
    Affected: ACE controllers
    Create a notification for this product.
    Date Public
    2021-10-05 00:00
    Credits
    Rei Henigman and Nadav Erez of Claroty reported these vulnerabilities to CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T01:37:16.588Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-38395",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:53:47.454539Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:07:52.218Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Experion PKS",
              "vendor": "Honeywell",
              "versions": [
                {
                  "status": "affected",
                  "version": "C200"
                },
                {
                  "status": "affected",
                  "version": "C200E"
                },
                {
                  "status": "affected",
                  "version": "C300"
                },
                {
                  "status": "affected",
                  "version": "ACE controllers"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Rei Henigman and Nadav Erez of Claroty reported these vulnerabilities to CISA."
            }
          ],
          "datePublic": "2021-10-05T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to improper neutralization of special elements in output, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "CWE-74: Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-10-28T00:00:00.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04"
            },
            {
              "url": "https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Honeywell Experion PKS and ACE Controllers Injection",
          "workarounds": [
            {
              "lang": "en",
              "value": "Honeywell recommends users follow all guidance in the Experion Network and Security Planning Guide to prevent attacks by malicious actors.\n\nAdditional information can be found in Honeywell Support document SN2021-02-22-01."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2021-38395",
        "datePublished": "2022-10-28T01:20:24.175Z",
        "dateReserved": "2021-08-10T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:07:52.218Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-38399 (GCVE-0-2021-38399)

    Vulnerability from cvelistv5 – Published: 2022-10-28 01:19 – Updated: 2025-04-16 16:07
    VLAI
    Title
    Honeywell Experion PKS and ACE Controllers Relative Path Traversal
    Summary
    Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to relative path traversal, which may allow an attacker access to unauthorized files and directories.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-23 - Relative Path Traversal
    Assigner
    Impacted products
    Vendor Product Version
    Honeywell Experion PKS Affected: C200
    Affected: C200E
    Affected: C300
    Affected: ACE controllers
    Create a notification for this product.
    Date Public
    2021-10-05 00:00
    Credits
    Rei Henigman and Nadav Erez of Claroty reported these vulnerabilities to CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T01:37:16.579Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-38399",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:53:50.707446Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:07:59.274Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Experion PKS",
              "vendor": "Honeywell",
              "versions": [
                {
                  "status": "affected",
                  "version": "C200"
                },
                {
                  "status": "affected",
                  "version": "C200E"
                },
                {
                  "status": "affected",
                  "version": "C300"
                },
                {
                  "status": "affected",
                  "version": "ACE controllers"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Rei Henigman and Nadav Erez of Claroty reported these vulnerabilities to CISA."
            }
          ],
          "datePublic": "2021-10-05T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to relative path traversal, which may allow an attacker access to unauthorized files and directories."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "CWE-23: Relative Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-10-28T00:00:00.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04"
            },
            {
              "url": "https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Honeywell Experion PKS and ACE Controllers Relative Path Traversal",
          "workarounds": [
            {
              "lang": "en",
              "value": "Honeywell recommends users follow all guidance in the Experion Network and Security Planning Guide to prevent attacks by malicious actors.\n\nAdditional information can be found in Honeywell Support document SN2021-02-22-01."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2021-38399",
        "datePublished": "2022-10-28T01:19:02.691Z",
        "dateReserved": "2021-08-10T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:07:59.274Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2014-5435 (GCVE-0-2014-5435)

    Vulnerability from cvelistv5 – Published: 2019-04-08 15:25 – Updated: 2024-08-06 11:41
    VLAI
    Summary
    An arbitrary memory write vulnerability exists in the dual_onsrv.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, that could lead to possible remote code execution or denial of service. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version.
    Severity
    No CVSS data available.
    CWE
    • CWE-123 - Arbitrary memory write CWE-123
    Assigner
    References
    Impacted products
    Vendor Product Version
    Honeywell Experion PKS Affected: R40x before R400.6
    Affected: R41x before R410.6
    Affected: R43x before R430.2
    Create a notification for this product.
    Date Public
    2014-12-18 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T11:41:49.065Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Experion PKS",
              "vendor": "Honeywell",
              "versions": [
                {
                  "status": "affected",
                  "version": "R40x before R400.6"
                },
                {
                  "status": "affected",
                  "version": "R41x before R410.6"
                },
                {
                  "status": "affected",
                  "version": "R43x before R430.2"
                }
              ]
            }
          ],
          "datePublic": "2014-12-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An arbitrary memory write vulnerability exists in the dual_onsrv.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, that could lead to possible remote code execution or denial of service. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-123",
                  "description": "Arbitrary memory write CWE-123",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-04-08T15:25:17.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2014-5435",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Experion PKS",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "R40x before R400.6"
                              },
                              {
                                "version_value": "R41x before R410.6"
                              },
                              {
                                "version_value": "R43x before R430.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Honeywell"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An arbitrary memory write vulnerability exists in the dual_onsrv.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, that could lead to possible remote code execution or denial of service. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Arbitrary memory write CWE-123"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01",
                  "refsource": "MISC",
                  "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2014-5435",
        "datePublished": "2019-04-08T15:25:17.000Z",
        "dateReserved": "2014-08-22T00:00:00.000Z",
        "dateUpdated": "2024-08-06T11:41:49.065Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2014-5436 (GCVE-0-2014-5436)

    Vulnerability from cvelistv5 – Published: 2019-04-08 15:18 – Updated: 2024-08-06 11:41
    VLAI
    Summary
    A directory traversal vulnerability exists in the confd.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, which could lead to possible information disclosure. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version.
    Severity
    No CVSS data available.
    CWE
    • CWE-22 - Directory traversal CWE-22
    Assigner
    References
    Impacted products
    Vendor Product Version
    Honeywell Experion PKS Affected: R40x before R400.6
    Affected: R41x before R410.6
    Affected: R43x before R430.2
    Create a notification for this product.
    Date Public
    2014-12-18 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T11:41:49.329Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Experion PKS",
              "vendor": "Honeywell",
              "versions": [
                {
                  "status": "affected",
                  "version": "R40x before R400.6"
                },
                {
                  "status": "affected",
                  "version": "R41x before R410.6"
                },
                {
                  "status": "affected",
                  "version": "R43x before R430.2"
                }
              ]
            }
          ],
          "datePublic": "2014-12-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A directory traversal vulnerability exists in the confd.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, which could lead to possible information disclosure. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Directory traversal CWE-22",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-04-08T15:18:41.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2014-5436",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Experion PKS",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "R40x before R400.6"
                              },
                              {
                                "version_value": "R41x before R410.6"
                              },
                              {
                                "version_value": "R43x before R430.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Honeywell"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A directory traversal vulnerability exists in the confd.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, which could lead to possible information disclosure. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Directory traversal CWE-22"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01",
                  "refsource": "MISC",
                  "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2014-5436",
        "datePublished": "2019-04-08T15:18:41.000Z",
        "dateReserved": "2014-08-22T00:00:00.000Z",
        "dateUpdated": "2024-08-06T11:41:49.329Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2014-9186 (GCVE-0-2014-9186)

    Vulnerability from cvelistv5 – Published: 2019-04-08 15:09 – Updated: 2024-08-06 13:40
    VLAI
    Summary
    A file inclusion vulnerability exists in the confd.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, which could lead to accepting an arbitrary file into the function, and potential information disclosure or remote code execution. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version.
    Severity
    No CVSS data available.
    CWE
    • CWE-98 - File inclusion CWE-98
    Assigner
    References
    Impacted products
    Vendor Product Version
    Honeywell Experion PKS Affected: R40x before R400.6
    Affected: R41x before R410.6
    Affected: R43x before R430.2
    Create a notification for this product.
    Date Public
    2014-12-18 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T13:40:24.560Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Experion PKS",
              "vendor": "Honeywell",
              "versions": [
                {
                  "status": "affected",
                  "version": "R40x before R400.6"
                },
                {
                  "status": "affected",
                  "version": "R41x before R410.6"
                },
                {
                  "status": "affected",
                  "version": "R43x before R430.2"
                }
              ]
            }
          ],
          "datePublic": "2014-12-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A file inclusion vulnerability exists in the confd.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, which could lead to accepting an arbitrary file into the function, and potential information disclosure or remote code execution. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-98",
                  "description": "File inclusion CWE-98",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-04-08T15:09:55.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2014-9186",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Experion PKS",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "R40x before R400.6"
                              },
                              {
                                "version_value": "R41x before R410.6"
                              },
                              {
                                "version_value": "R43x before R430.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Honeywell"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A file inclusion vulnerability exists in the confd.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, which could lead to accepting an arbitrary file into the function, and potential information disclosure or remote code execution. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "File inclusion CWE-98"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01",
                  "refsource": "MISC",
                  "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2014-9186",
        "datePublished": "2019-04-08T15:09:55.000Z",
        "dateReserved": "2014-12-02T00:00:00.000Z",
        "dateUpdated": "2024-08-06T13:40:24.560Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2014-9187 (GCVE-0-2014-9187)

    Vulnerability from cvelistv5 – Published: 2019-03-25 19:19 – Updated: 2024-08-06 13:40
    VLAI
    Summary
    Multiple heap-based buffer overflow vulnerabilities exist in Honeywell Experion PKS all versions prior to R400.6, all versions prior to R410.6, and all versions prior to R430.2 modules, which could lead to possible remote code execution or denial of service. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version.
    Severity
    No CVSS data available.
    CWE
    • CWE-122 - Heap-based buffer overflow CWE-122
    Assigner
    References
    Impacted products
    Vendor Product Version
    Honeywell Experion PKS Affected: R40x prior to R400.6
    Affected: R41x prior to R410.6
    Affected: R43x prior to R430.2
    Create a notification for this product.
    Date Public
    2014-12-18 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T13:40:24.531Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Experion PKS",
              "vendor": "Honeywell",
              "versions": [
                {
                  "status": "affected",
                  "version": "R40x prior to R400.6"
                },
                {
                  "status": "affected",
                  "version": "R41x prior to R410.6"
                },
                {
                  "status": "affected",
                  "version": "R43x prior to R430.2"
                }
              ]
            }
          ],
          "datePublic": "2014-12-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Multiple heap-based buffer overflow vulnerabilities exist in Honeywell Experion PKS all versions prior to R400.6, all versions prior to R410.6, and all versions prior to R430.2 modules, which could lead to possible remote code execution or denial of service. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "Heap-based buffer overflow CWE-122",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-03-25T19:19:10.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2014-9187",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Experion PKS",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "R40x prior to R400.6"
                              },
                              {
                                "version_value": "R41x prior to R410.6"
                              },
                              {
                                "version_value": "R43x prior to R430.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Honeywell"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Multiple heap-based buffer overflow vulnerabilities exist in Honeywell Experion PKS all versions prior to R400.6, all versions prior to R410.6, and all versions prior to R430.2 modules, which could lead to possible remote code execution or denial of service. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Heap-based buffer overflow CWE-122"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01",
                  "refsource": "MISC",
                  "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2014-9187",
        "datePublished": "2019-03-25T19:19:10.000Z",
        "dateReserved": "2014-12-02T00:00:00.000Z",
        "dateUpdated": "2024-08-06T13:40:24.531Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2014-9189 (GCVE-0-2014-9189)

    Vulnerability from cvelistv5 – Published: 2019-03-25 19:10 – Updated: 2024-08-06 13:40
    VLAI
    Summary
    Multiple stack-based buffer overflow vulnerabilities were found in Honeywell Experion PKS all versions prior to R400.6, all versions prior to R410.6, and all versions prior to R430.2 modules that could lead to possible remote code execution, dynamic memory corruption, or denial of service. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version.
    Severity
    No CVSS data available.
    CWE
    • CWE-121 - Stack-based buffer overflow CWE-121
    Assigner
    References
    Impacted products
    Vendor Product Version
    Honeywell Experion PKS Affected: R40x prior to R400.6
    Affected: R41x prior to R410.6
    Affected: R43x prior to R430.2
    Create a notification for this product.
    Date Public
    2014-12-18 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T13:40:23.163Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Experion PKS",
              "vendor": "Honeywell",
              "versions": [
                {
                  "status": "affected",
                  "version": "R40x prior to R400.6"
                },
                {
                  "status": "affected",
                  "version": "R41x prior to R410.6"
                },
                {
                  "status": "affected",
                  "version": "R43x prior to R430.2"
                }
              ]
            }
          ],
          "datePublic": "2014-12-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Multiple stack-based buffer overflow vulnerabilities were found in Honeywell Experion PKS all versions prior to R400.6, all versions prior to R410.6, and all versions prior to R430.2 modules that could lead to possible remote code execution, dynamic memory corruption, or denial of service. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "Stack-based buffer overflow CWE-121",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-03-25T19:10:47.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2014-9189",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Experion PKS",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "R40x prior to R400.6"
                              },
                              {
                                "version_value": "R41x prior to R410.6"
                              },
                              {
                                "version_value": "R43x prior to R430.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Honeywell"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Multiple stack-based buffer overflow vulnerabilities were found in Honeywell Experion PKS all versions prior to R400.6, all versions prior to R410.6, and all versions prior to R430.2 modules that could lead to possible remote code execution, dynamic memory corruption, or denial of service. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Stack-based buffer overflow CWE-121"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01",
                  "refsource": "MISC",
                  "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-352-01"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2014-9189",
        "datePublished": "2019-03-25T19:10:47.000Z",
        "dateReserved": "2014-12-02T00:00:00.000Z",
        "dateUpdated": "2024-08-06T13:40:23.163Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }