CVE-2022-23854

Name of the Vulnerable Software and Affected Versions AVEVA InTouch Access Anywhere versions 2020 R2 and older

Description The issue is related to errors in processing relative path to directory, which could allow an unauthenticated user with network access to read files on the system outside of the secure gateway web server. This can be exploited using a path traversal exploit. If an attacker gains access to confidential information, such as configuration files containing access data, it may lead to serious problems. The vulnerability can be easily exploited using a command-line tool like curl, and user interaction is not required. Over 1100 systems are accessible, allowing remote attackers to exploit the vulnerability directly from the internet.

Recommendations For AVEVA InTouch Access Anywhere versions 2020 R2 and older, update to the latest version that includes the fix for this issue, as provided by the vendor. As a temporary workaround, consider restricting access to the secure gateway web server to minimize the risk of exploitation.