PT-2021-6478 · Rockwell Automation · Rockwell Automation Connected Components Workbench
Mashav Sapir
·
Published
2021-02-19
·
Updated
2022-03-29
·
CVE-2021-27473
CVSS v3.1
8.2
High
| Vector | AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Rockwell Automation Connected Components Workbench version 12.00.00 and prior
Description
The issue is related to the software's failure to sanitize paths within the .ccwarc archive file during extraction, also known as a Zip Slip vulnerability. A local, authenticated attacker can create a malicious .ccwarc archive file to gain the privileges of the software. If the software is running at SYSTEM level, the attacker will gain admin level privileges. User interaction is required for this exploit to be successful.
Recommendations
For Rockwell Automation Connected Components Workbench version 12.00.00 and prior, consider restricting access to the .ccwarc archive file until a patch is available. As a temporary workaround, avoid opening untrusted .ccwarc archive files with Connected Components Workbench to minimize the risk of exploitation.
Fix
Path traversal
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Rockwell Automation Connected Components Workbench