Rockwell Automation ThinManager ThinServer Path Traversal Vulnerability
CVE-2023-2913

7.5HIGH

Key Information:

Vendor: Rockwell Automation
Status: Thinmanager Thinserver
Vendor: CVE Published:; 18 July 2023

Summary

A configuration issue in the Rockwell Automation ThinManager ThinServer allows an API feature to be enabled within the HTTPS Server Settings, which is disabled by default. If activated, a path traversal vulnerability allows remote attackers to exploit server file system privileges, enabling them to read arbitrary files stored on the server. By manipulating specific path variables, a malicious user could gain unauthorized access to sensitive information, posing a significant risk to data confidentiality and integrity.

Affected Version(s)

ThinManager ThinServer 13.0.0 - 13.0.2

ThinManager ThinServer 13.1.0

References

https://rockwellautomation.custhelp.com/app/answers/answe...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 18, 2023
Vulnerability Reserved
May 26, 2023

Credit

Sven Krewitt from Flashpoint.io reported this vulnerability to Rockwell Automation