Rockwell Automation Connected Components Workbench Path Traversal
CVE-2021-27471

7.7HIGH

Key Information:

Vendor: Rockwell Automation
Status: Connected Components Workbench
Vendor: CVE Published:; 23 March 2022

Summary

The parsing mechanism that processes certain file types does not provide input sanitization for file paths. This may allow an attacker to craft malicious files that, when opened by Rockwell Automation Connected Components Workbench v12.00.00 and prior, can traverse the file system. If successfully exploited, an attacker could overwrite existing files and create additional files with the same permissions of the Connected Components Workbench software. User interaction is required for this exploit to be successful.

Affected Version(s)

Connected Components Workbench <= unspecified

References

https://www.cisa.gov/uscert/ics/advisories/icsa-21-133-01

x_refsource_CONFIRM

https://rockwellautomation.custhelp.com/app/answers/answe...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 23, 2022
Vulnerability Reserved
Feb 19, 2021

Credit

Mashav Sapir of Claroty reported these vulnerabilities to Rockwell Automation.