CVE-2023-2917
Severity CVSS v4.0:
Pending analysis
Type:
CWE-22
Path Traversal
Publication date:
17/08/2023
Last modified:
23/08/2023
Description
The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability. Due to an improper input validation, a path traversal vulnerability exists, via the filename field, when the ThinManager processes a certain function. If exploited, an unauthenticated remote attacker can upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. A malicious user could exploit this vulnerability by sending a crafted synchronization protocol message and potentially gain remote code execution abilities.<br />
<br />
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:rockwellautomation:thinmanager_thinserver:*:*:*:*:*:*:*:* | 11.0.0 (including) | 11.0.6 (including) |
| cpe:2.3:a:rockwellautomation:thinmanager_thinserver:*:*:*:*:*:*:*:* | 11.1.0 (including) | 11.1.6 (including) |
| cpe:2.3:a:rockwellautomation:thinmanager_thinserver:*:*:*:*:*:*:*:* | 11.2.0 (including) | 11.2.7 (including) |
| cpe:2.3:a:rockwellautomation:thinmanager_thinserver:*:*:*:*:*:*:*:* | 12.0.0 (including) | 12.0.5 (including) |
| cpe:2.3:a:rockwellautomation:thinmanager_thinserver:*:*:*:*:*:*:*:* | 12.1.0 (including) | 12.1.6 (including) |
| cpe:2.3:a:rockwellautomation:thinmanager_thinserver:*:*:*:*:*:*:*:* | 13.0.0 (including) | 13.0.2 (including) |
| cpe:2.3:a:rockwellautomation:thinmanager_thinserver:13.1.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page