What is GHSA-v5jg-gm3q-h894?

GHSA-v5jg-gm3q-h894 is a security advisory published by GitHub Security Advisories with Critical severity. Schneider Electric SoMachine Basic 1.4 SP1 and Schneider Electric Modicon TM221CE16R 1.3.3.3...

Which CVE IDs does GHSA-v5jg-gm3q-h894 cover?

GHSA-v5jg-gm3q-h894 covers the following CVE IDs: CVE-2017-7574. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-v5jg-gm3q-h894?

GHSA-v5jg-gm3q-h894 has a CVSS v3 base score of 9.8, published by GitHub Security Advisories.

GHSA-v5jg-gm3q-h894CriticalCVSS 9.8

Schneider Electric SoMachine Basic 1.4 SP1 and Schneider Electric Modicon TM221CE16R 1.3.3.3...

Vendor

GitHub Security Advisories

Published

May 13, 2022

Last Modified

May 29, 2026

🔗 CVE IDs covered (1)

CVE-2017-7574 →

📋 Description

Schneider Electric SoMachine Basic 1.4 SP1 and Schneider Electric Modicon TM221CE16R 1.3.3.3 devices have a hardcoded-key vulnerability. The Project Protection feature is used to prevent unauthorized users from opening an XML protected project file, by prompting the user for a password. This XML file is AES-CBC encrypted; however, the key used for encryption (SoMachineBasicSoMachineBasicSoMa) cannot be changed. After decrypting the XML file with this key, the user password can be found in the decrypted data. After reading the user password, the project can be opened and modified with the Schneider product.

🔗 References (5)

https://nvd.nist.gov/vuln/detail/CVE-2017-7574
https://os-s.net/advisories/OSS-2017-02.pdf
http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2017-097-01
http://www.securityfocus.com/bid/97518
https://github.com/advisories/GHSA-v5jg-gm3q-h894