medicalger.blogg.se - Automation license manager

A CVSS v3 base score of 7.7 has been calculated.

Chained with CVE-2022-43513, this could allow remote code execution.ĬVE-2022-43514 has been assigned to this vulnerability. This could allow an unauthenticated remote user to execute file operations of files outside of the specified root folder. The affected component does not correctly validate the root path for folder related operations, allowing modification of files and folders outside the intended root directory. the CVSS vector string is ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L) 3.2.2 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22 A CVSS v3 base score of 8.2 has been calculated. This could allow an unauthenticated remote attacker to rename and move files as a SYSTEM user.ĬVE-2022-43513 has been assigned to this vulnerability.

The affected components allow the renaming of license files with user input without authentication.

Automation License Manager V6: All versions prior to V6.0 SP9 Upd4ģ.2 VULNERABILITY OVERVIEW 3.2.1 EXTERNAL CONTROL OF FILE NAME OR PATH CWE-73.

Automation License Manager V5: All versions.

The following software from Siemens is affected: Successful exploitation of these vulnerabilities could allow an attacker to modify and rename license files, extract licenses, and overwrite arbitrary files on the target system, potentially leading to privilege escalation and remote code execution.

Vulnerabilities: External Control of File Name or Path, Path Traversal.

Equipment: Automation License Manager (ALM).

ATTENTION: Exploitable remotely/low attack complexity.

For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory.