CVE-2019-7227

CWE-22 — Path Traversal3 documents3 sources

Severity

7.3HIGH

EPSS

0.5%

top 34.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

ABB Pb610 Panel Builder 600 Firmware

Timeline

PublishedJun 27

Latest updateMay 24

Description

In the ABB IDAL FTP server, an authenticated attacker can traverse to arbitrary directories on the hard disk with "CWD ../" and then use the FTP server functionality to download and upload files. An unauthenticated attacker can take advantage of the hardcoded or default credential pair exor/exor to become an authenticated attacker.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.1 | Impact: 5.2

Affected Packages1 packages

▶NVDabb/pb610_panel_builder_600_firmware1.91 — 2.8.0.367

Patches

Patch: search.abb.com ↗Patch: search.abb.com ↗

🔴Vulnerability Details

GHSA

GHSA-2xg2-fhgj-3829: In the ABB IDAL FTP server, an authenticated attacker can traverse to arbitrary directories on the hard disk with "CWD↗2022-05-24

▶

CVEList

CVE-2019-7227: In the ABB IDAL FTP server, an authenticated attacker can traverse to arbitrary directories on the hard disk with "CWD↗2019-06-27

▶