PILZ: Multiple products affected by ZipSlip
CVE-2022-40976

5.5MEDIUM

Key Information:

Vendor

Pilz

Status
Pascal
Pasconnect
Pasmotion
Pnozmulti Configurator
Vendor
CVE Published:
24 November 2022

What is CVE-2022-40976?

A path traversal vulnerability was discovered in multiple Pilz products. An unauthenticated local attacker could use a zipped, malicious configuration file to trigger arbitrary file writes ('zip-slip'). File writes do not affect confidentiality or availability.

Affected Version(s)

PAS4000 1.0.0 < 1.25.0

PAScal 1.0.0 <= 1.9.1

PASconnect 1.0.0 < 1.4.0

References

https://cert.vde.com/en/advisories/VDE-2022-044/
https://cert.vde.com/en/advisories/VDE-2022-045/

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.