Lucene search

[email protected]CVE-2023-2915

HistoryAug 17, 2023 - 4:15 p.m.

CVE-2023-2915

2023-08-1716:15:09

CWE-22

CWE-20

[email protected]

web.nvd.nist.gov

cve-2023-2915

rockwell automation

thinmanager

thinserver

input validation

vulnerability

path traversal

remote threat actor

denial-of-service

nvd

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

9.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

40.0%

JSON

The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability, Due to improper input validation, a path traversal vulnerability exists when the ThinManager software processes a certain function. If exploited, an unauthenticated remote threat actor can delete arbitrary files with system privileges. A malicious user could exploit this vulnerability by sending a specifically crafted synchronization protocol message resulting in a denial-of-service condition.

Affected configurations

NVD

Node

rockwellautomationthinmanager_thinserverRange11.0.0–11.0.6

rockwellautomationthinmanager_thinserverRange11.1.0–11.1.6

rockwellautomationthinmanager_thinserverRange11.2.0–11.2.7

rockwellautomationthinmanager_thinserverRange12.0.0–12.0.5

rockwellautomationthinmanager_thinserverRange12.1.0–12.1.6

rockwellautomationthinmanager_thinserverRange13.0.0–13.0.2

rockwellautomationthinmanager_thinserverMatch13.1.0

CPENameOperatorVersion
rockwellautomation:thinmanager_thinserverrockwellautomation thinmanager thinserverle11.0.6
rockwellautomation:thinmanager_thinserverrockwellautomation thinmanager thinserverle11.1.6
rockwellautomation:thinmanager_thinserverrockwellautomation thinmanager thinserverle11.2.7
rockwellautomation:thinmanager_thinserverrockwellautomation thinmanager thinserverle12.0.5
rockwellautomation:thinmanager_thinserverrockwellautomation thinmanager thinserverle12.1.6
rockwellautomation:thinmanager_thinserverrockwellautomation thinmanager thinserverle13.0.2
rockwellautomation:thinmanager_thinserverrockwellautomation thinmanager thinservereq13.1.0

CPE	Name	Operator	Version
rockwellautomation:thinmanager_thinserver	rockwellautomation thinmanager thinserver	le	11.0.6
rockwellautomation:thinmanager_thinserver	rockwellautomation thinmanager thinserver	le	11.1.6
rockwellautomation:thinmanager_thinserver	rockwellautomation thinmanager thinserver	le	11.2.7
rockwellautomation:thinmanager_thinserver	rockwellautomation thinmanager thinserver	le	12.0.5
rockwellautomation:thinmanager_thinserver	rockwellautomation thinmanager thinserver	le	12.1.6
rockwellautomation:thinmanager_thinserver	rockwellautomation thinmanager thinserver	le	13.0.2
rockwellautomation:thinmanager_thinserver	rockwellautomation thinmanager thinserver	eq	13.1.0

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "ThinManager ThinServer",
    "vendor": "Rockwell Automation",
    "versions": [
      {
        "status": "affected",
        "version": "11.0.0 - 11.2.6"
      },
      {
        "status": "affected",
        "version": "11.1.0 - 11.1.6"
      },
      {
        "status": "affected",
        "version": "11.2.0 - 11.2.7"
      },
      {
        "status": "affected",
        "version": "12.0.0 - 12.0.5"
      },
      {
        "status": "affected",
        "version": "12.1.0 - 12.1.6"
      },
      {
        "status": "affected",
        "version": "13.0.0 - 13.0.2"
      },
      {
        "status": "affected",
        "version": "13.1.0"
      }
    ]
  }
]