Lucene search

[email protected]NVD:CVE-2023-2913

HistoryJul 18, 2023 - 8:15 p.m.

CVE-2023-2913

2023-07-1820:15:09

CWE-23

CWE-22

[email protected]

web.nvd.nist.gov

cve-2023-2913

path traversal

remote actor

privilege escalation

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

21.1%

JSON

An executable used in Rockwell Automation ThinManager ThinServer can be configured to enable an API feature in the HTTPS Server Settings. This feature is disabled by default. When the API is enabled and handling requests, a path traversal vulnerability exists that allows a remote actor to leverage the privileges of the server’s file system and read arbitrary files stored in it. A malicious user could exploit this vulnerability by executing a path that contains manipulating variables.

Affected configurations

Nvd

Node

rockwellautomationthinmanagerRange13.0.0–13.0.2

VendorProductVersionCPE
rockwellautomationthinmanager*cpe:2.3:a:rockwellautomation:thinmanager:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
rockwellautomation	thinmanager	*	cpe:2.3:a:rockwellautomation:thinmanager::::::::

References

rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1140160

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

21.1%

JSON

Related for NVD:CVE-2023-2913

prion1 cve1 ics1 cvelist1