CVE-2022-2969
published 2022-12-01CVE-2022-2969: Delta Industrial Automation DIALink versions prior to v1.5.0.0 Beta 4 uses an external input to construct a pathname intended to identify a file or directory…
PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
2.28%
81.0th percentile
Delta Industrial Automation DIALink versions prior to v1.5.0.0 Beta 4 uses an external input to construct a pathname intended to identify a file or directory located underneath a restricted parent directory. However, the software does not properly neutralize special elements within the pathname, which can cause the pathname to resolve to a location outside of the restricted directory.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| delta_industrial_automation | dialink | < 1.5.0.0 Beta 4 | 1.5.0.0 Beta 4 |
| deltaww | dialink | < 1.5.0.0 | 1.5.0.0 |
| deltaww | dialink | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c28m-8g89-fpm5: Delta Industrial Automation DIALink versions prior to v1
ghsa_unreviewed·2022-12-01
CVE-2022-2969 [HIGH] CWE-22 GHSA-c28m-8g89-fpm5: Delta Industrial Automation DIALink versions prior to v1
Delta Industrial Automation DIALink versions prior to v1.5.0.0 Beta 4 uses an external input to construct a pathname intended to identify a file or directory located underneath a restricted parent directory. However, the software does not properly neutralize special elements within the pathname, which can cause the pathname to resolve to a location outside of the restricted directory.
CISA ICS
Delta Industrial Automation DIALink
cisa_ics·2022-11-03·CVSS 8.1
[HIGH] Delta Industrial Automation DIALink
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Delta Industrial Automation DIALink
Last RevisedNovember 03, 2022
Alert CodeICSA-22-307-03
## 1. EXECUTIVE SUMMARY
- CVSS v3 8.1
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Delta Industrial Automation
- Equipment: DIALink
- Vulnerability: Path traversal
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to place malicious code on the target device.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
Delta Industrial Automation reports this vulnerability affects the following DIALink products:
- DIALink version
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-12-01
Published