#VU83209 External Control of File Name or Path in AVEVA Software, LLC. products - CVE-2023-34982
Published: November 15, 2023
Vulnerability identifier: #VU83209
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-34982
CWE-ID: CWE-73
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
AVEVA SystemPlatform
AVEVA Application Server
AVEVA Enterprise Licensing
AVEVA Recipe Management
AVEVA Worktasks
AVEVA Plant SCADA
AVEVA Telemetry Server
AVEVA Operations Control Logger
AVEVA Historian
AVEVA InTouch
AVEVA Manufacturing Execution System
AVEVA Batch Management
AVEVA Mobile Operator
AVEVA Communication Drivers Pack
AVEVA Edge
AVEVA SystemPlatform
AVEVA Application Server
AVEVA Enterprise Licensing
AVEVA Recipe Management
AVEVA Worktasks
AVEVA Plant SCADA
AVEVA Telemetry Server
AVEVA Operations Control Logger
AVEVA Historian
AVEVA InTouch
AVEVA Manufacturing Execution System
AVEVA Batch Management
AVEVA Mobile Operator
AVEVA Communication Drivers Pack
AVEVA Edge
Software vendor:
AVEVA Software, LLC.
AVEVA Software, LLC.
Description
The vulnerability allows a local user to delete arbitrary files.
The vulnerability exists due to application allows an attacker to control path of the files to delete. A local user can send a specially crafted HTTP request and delete arbitrary files on the system, leading to denial of service (DoS) condition.
Remediation
Install updates from vendor's website.