CVE-2021-40359

Name of the Vulnerable Software and Affected Versions OpenPCS 7 versions 7.0 through 9.1 SIMATIC BATCH versions 8.2 through 9.1 SIMATIC NET PC Software versions 14 through 17 SIMATIC PCS 7 versions 8.2 through 9.1 SIMATIC Route Control versions 8.2 through 9.1 SIMATIC WinCC versions 7.4 through 17

Description A vulnerability has been identified in the affected systems where they do not properly neutralize special elements within the pathname when downloading files. This could allow an attacker to cause the pathname to resolve to a location outside of the restricted directory on the server and read unexpected critical files.

Recommendations For OpenPCS 7 versions 7.0 through 9.1, update to a version that properly neutralizes special elements within the pathname. For SIMATIC BATCH versions 8.2 through 9.1, update to a version that properly neutralizes special elements within the pathname. For SIMATIC NET PC Software versions 14 through 17, update to a version that properly neutralizes special elements within the pathname. For SIMATIC PCS 7 versions 8.2 through 9.1, update to a version that properly neutralizes special elements within the pathname. For SIMATIC Route Control versions 8.2 through 9.1, update to a version that properly neutralizes special elements within the pathname. For SIMATIC WinCC versions 7.4 through 17, update to a version that properly neutralizes special elements within the pathname.