CVE-2020-12003

Name of the Vulnerable Software and Affected Versions FactoryTalk Linx versions 6.00 through 6.11 RSLinx Classic versions 4.11.00 and prior Connected Components Workbench versions 12 and prior ControlFLASH versions 14 and later ControlFLASH Plus versions 1 and later FactoryTalk Asset Centre versions 9 and later FactoryTalk Linx CommDTM versions 1 and later Studio 5000 Launcher versions 31 and later Studio 5000 Logix Designer software versions 32 and prior

Description An exposed API call allows users to provide files to be processed without sanitation. This may allow an attacker to use specially crafted requests to traverse the file system and expose sensitive data on the local hard drive.

Recommendations For FactoryTalk Linx versions 6.00 through 6.11, consider disabling the exposed API call until a patch is available. For RSLinx Classic versions 4.11.00 and prior, restrict access to the API endpoint to minimize the risk of exploitation. For Connected Components Workbench versions 12 and prior, avoid using the vulnerable API call in production environments until the issue is resolved. For ControlFLASH versions 14 and later, ControlFLASH Plus versions 1 and later, FactoryTalk Asset Centre versions 9 and later, FactoryTalk Linx CommDTM versions 1 and later, Studio 5000 Launcher versions 31 and later, and Studio 5000 Logix Designer software versions 32 and prior, at the moment, there is no information about a newer version that contains a fix for this vulnerability.