CVE-2023-34994

Name of the Vulnerable Software and Affected Versions Open Automation Software OAS Platform version 18.00.0072

Description An improper resource allocation issue exists in the OAS Engine configuration management functionality. A specially crafted series of network requests can lead to the creation of an arbitrary directory. An attacker can send a sequence of requests to trigger this issue, allowing unauthorized users to create new directories anywhere the underlying OAS user system account has access to.

Recommendations For Open Automation Software OAS Platform version 18.00.0072, consider restricting access to the OAS Engine configuration management functionality to prevent unauthorized directory creation until a patch is available. As a temporary workaround, limit the privileges of the OAS user system account to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.