CVE-2012-6069

Name of the Vulnerable Software and Affected Versions CODESYS Runtime System versions 2.3.x through 2.4.x

Description The issue allows remote attackers to read, overwrite, or create arbitrary files via a .. (dot dot) in a request to the TCP listener service. This is due to incorrect restriction of the directory path name with limited access. Exploitation of the issue may allow a remote attacker to read, write, and create arbitrary files using the .. element in the path when requesting the network service.

Recommendations For CODESYS Runtime System versions 2.3.x through 2.4.x, consider restricting access to the TCP listener service until a patch is available. As a temporary workaround, avoid using the .. element in the path when requesting the network service to minimize the risk of exploitation.