CVE-2021-42797

Name of the Vulnerable Software and Affected Versions AVEVA Edge (formerly InduSoft Web Studio) versions R2020 and prior

Description The issue is related to a path traversal vulnerability that allows an unauthenticated user to steal the Windows access token of the user account configured for accessing external DB resources. This can be exploited by sending a specially crafted HTTP request, potentially allowing a remote attacker to gain unauthorized access to protected information. The vulnerability is also related to the use of Windows UNC (UNCshare ame) resources.

Recommendations For AVEVA Edge versions R2020 and prior, update to a version later than R2020 to resolve the issue. As a temporary workaround, consider restricting access to external DB resources to minimize the risk of exploitation.