Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-27471

The parsing mechanism that processes certain file types does not provide input sanitization for file paths. This may allow an attacker to craft malicious files that, when opened by Rockwell Automation Connected Components Workbench v12.00.00 and prior, can traverse the file system. If successfully exploited, an attacker could overwrite existing files and create additional files with the same permissions of the Connected Components Workbench software. User interaction is required for this exploit to be successful.

Published

2022-03-23T20:15:09.037

Last Modified

2024-11-21T05:58:03.517

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.7 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.6

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-22
Type: Primary
CWE-22

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	rockwellautomation	connected_components_workbench	≤ 12.00.00	Yes

References

https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131435 Permissions Required, Vendor Advisory ([email protected])
https://www.cisa.gov/uscert/ics/advisories/icsa-21-133-01 Third Party Advisory, US Government Resource ([email protected])
https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131435 Permissions Required, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/uscert/ics/advisories/icsa-21-133-01 Third Party Advisory, US Government Resource (af854a3a-2127-422b-91ae-364da2661108)