CVE-2021-20595
Last modified
CVE-2021-20595 is a high-severity vulnerability rated 8.2/10 on the CVSS scale. Improper Restriction of XML External Entity Reference vulnerability in Mitsubishi Electric Air Conditioning System/Centralized Controllers (G-50A Ver.3.35 and prior, GB-50A Ver.3.35 and prior, GB-24A Ver.9.11 and prior, AG-150A-A Ver.3.20 and prior, AG-150A-J Ver.3.20 and prior, GB-50ADA-A Ver.3.20 and prior, GB-50ADA-J Ver.3.20 and prior, EB-50GU-A Ver 7.09 and prior, EB-50GU-J Ver 7.09 and prior, AE-200A Ver 7.93 and prior, AE-200E Ver 7.93 and prior, AE-50A Ver 7.93 and prior, AE-50E Ver 7.93 and prior, EW-50A Ver 7.93 and prior, EW-50E Ver 7.93 and prior, TE-200A Ver 7.93 and prior, TE-50A Ver 7.93 and prior, TW-50A Ver 7.93 and prior, CMS-RMD-J Ver.1.30 and prior), Air Conditioning System/Expansion Controllers (PAC-YG50ECA Ver.2.20 and prior) and Air Conditioning System/BM adapter(BAC-HD150 Ver.2.21 and prior) allows a remote unauthenticated attacker to disclose some of data in the air conditioning system or cause a DoS condition by sending specially crafted packets.. EPSS estimates a 1.78% chance of exploitation in the next 30 days.
Description
Improper Restriction of XML External Entity Reference vulnerability in Mitsubishi Electric Air Conditioning System/Centralized Controllers (G-50A Ver.3.35 and prior, GB-50A Ver.3.35 and prior, GB-24A Ver.9.11 and prior, AG-150A-A Ver.3.20 and prior, AG-150A-J Ver.3.20 and prior, GB-50ADA-A Ver.3.20 and prior, GB-50ADA-J Ver.3.20 and prior, EB-50GU-A Ver 7.09 and prior, EB-50GU-J Ver 7.09 and prior, AE-200A Ver 7.93 and prior, AE-200E Ver 7.93 and prior, AE-50A Ver 7.93 and prior, AE-50E Ver 7.93 and prior, EW-50A Ver 7.93 and prior, EW-50E Ver 7.93 and prior, TE-200A Ver 7.93 and prior, TE-50A Ver 7.93 and prior, TW-50A Ver 7.93 and prior, CMS-RMD-J Ver.1.30 and prior), Air Conditioning System/Expansion Controllers (PAC-YG50ECA Ver.2.20 and prior) and Air Conditioning System/BM adapter(BAC-HD150 Ver.2.21 and prior) allows a remote unauthenticated attacker to disclose some of data in the air conditioning system or cause a DoS condition by sending specially crafted packets.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Mitsubishi | G-50a Firmware | >= 2.50, <= 3.35 |
| Mitsubishi | Gb-50a Firmware | >= 2.50, <= 3.35 |
| Mitsubishi | Ag-150a-A Firmware | <= 3.20 |
| Mitsubishi | Ag-150a-J Firmware | <= 3.20 |
| Mitsubishi | Gb-50ada-A Firmware | <= 3.20 |
| Mitsubishi | Gb-50ada-J Firmware | <= 3.20 |
| Mitsubishi | Eb-50gu-A Firmware | <= 7.09 |
| Mitsubishi | Eb-50gu-J Firmware | <= 7.09 |
| Mitsubishi | Ae-200a Firmware | <= 7.93 |
| Mitsubishi | Ae-200e Firmware | <= 7.93 |
| Mitsubishi | Ae-50a Firmware | <= 7.93 |
| Mitsubishi | Ae-50e Firmware | <= 7.93 |
| Mitsubishi | Ew-50a Firmware | <= 7.93 |
| Mitsubishi | Ew-50e Firmware | <= 7.93 |
| Mitsubishi | Te-200a Firmware | <= 7.93 |
| Mitsubishi | Te-50a Firmware | <= 7.93 |
| Mitsubishi | Tw-50a Firmware | <= 7.93 |
| Mitsubishi | Cms-Rmd-J Firmware | <= 1.30 |
| Mitsubishi | Pac-Yg50eca Firmware | <= 2.20 |
References
- https://jvn.jp/vu/JVNVU93086468/index.htmlThird Party Advisory
- https://jvn.jp/vu/JVNVU93086468/index.htmlThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-20595?
How severe is CVE-2021-20595?
How do I fix CVE-2021-20595?
Are you affected by CVE-2021-20595?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST