AVEVA Operations Control Logger External Control of File Name or Path
CVE-2023-34982

7.1HIGH

Key Information:

Vendor: AVEVA
Status: SystemPlatform; Historian; Application Server; InTouch
Vendor: CVE Published:; 15 November 2023

What is CVE-2023-34982?

This vulnerability permits a local OS-authenticated user with standard privileges to maliciously delete files at the system level in AVEVA Products. If exploited, it could lead to denial of service on devices running the affected versions, enabling unauthorized file manipulation and system disruptions.

Affected Version(s)

Application Server 0 <= 2020 R2 SP1 P01

Batch Management 0 <= 2020 SP1

Communication Drivers Pack 0 <= 2020 R2 SP1

References

https://www.cisa.gov/news-events/ics-advisories/icsa-23-3...

https://www.aveva.com/en/support-and-success/cyber-securi...

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 15, 2023
Vulnerability Reserved
Jun 13, 2023

Credit

Lukasz Piotrowski from Equinor reported these vulnerabilities to AVEVA.