CVE-2021-20595

13.07.2021, 11:15

Improper Restriction of XML External Entity Reference vulnerability in Mitsubishi Electric Air Conditioning System/Centralized Controllers (G-50A Ver.3.35 and prior, GB-50A Ver.3.35 and prior, GB-24A Ver.9.11 and prior, AG-150A-A Ver.3.20 and prior, AG-150A-J Ver.3.20 and prior, GB-50ADA-A Ver.3.20 and prior, GB-50ADA-J Ver.3.20 and prior, EB-50GU-A Ver 7.09 and prior, EB-50GU-J Ver 7.09 and prior, AE-200A Ver 7.93 and prior, AE-200E Ver 7.93 and prior, AE-50A Ver 7.93 and prior, AE-50E Ver 7.93 and prior, EW-50A Ver 7.93 and prior, EW-50E Ver 7.93 and prior, TE-200A Ver 7.93 and prior, TE-50A Ver 7.93 and prior, TW-50A Ver 7.93 and prior, CMS-RMD-J Ver.1.30 and prior), Air Conditioning System/Expansion Controllers (PAC-YG50ECA Ver.2.20 and prior) and Air Conditioning System/BM adapter(BAC-HD150 Ver.2.21 and prior) allows a remote unauthenticated attacker to disclose some of data in the air conditioning system or cause a DoS condition by sending specially crafted packets.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.2 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Mitsubishi	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 37%

Vendor	Product	Version
mitsubishi	g-50a_firmware	2.50 ≤ 𝑥 ≤ 3.35
mitsubishi	gb-50a_firmware	2.50 ≤ 𝑥 ≤ 3.35
mitsubishi	ag-150a-a_firmware	𝑥 ≤ 3.20
mitsubishi	ag-150a-j_firmware	𝑥 ≤ 3.20
mitsubishi	gb-50ada-a_firmware	𝑥 ≤ 3.20
mitsubishi	gb-50ada-j_firmware	𝑥 ≤ 3.20
mitsubishi	eb-50gu-a_firmware	𝑥 ≤ 7.09
mitsubishi	eb-50gu-j_firmware	𝑥 ≤ 7.09
mitsubishi	ae-200a_firmware	𝑥 ≤ 7.93
mitsubishi	ae-200e_firmware	𝑥 ≤ 7.93
mitsubishi	ae-50a_firmware	𝑥 ≤ 7.93
mitsubishi	ae-50e_firmware	𝑥 ≤ 7.93
mitsubishi	ew-50a_firmware	𝑥 ≤ 7.93
mitsubishi	ew-50e_firmware	𝑥 ≤ 7.93
mitsubishi	te-200a_firmware	𝑥 ≤ 7.93
mitsubishi	te-50a_firmware	𝑥 ≤ 7.93
mitsubishi	tw-50a_firmware	𝑥 ≤ 7.93
mitsubishi	cms-rmd-j_firmware	𝑥 ≤ 1.30
mitsubishi	pac-yg50eca_firmware	𝑥 ≤ 2.20

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-611 - Improper Restriction of XML External Entity Reference
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References

https://jvn.jp/vu/JVNVU93086468/index.html

https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-005_en.pdf

https://jvn.jp/vu/JVNVU93086468/index.html

https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-005_en.pdf