CVE-2023-33873
published 2023-11-15CVE-2023-33873: This privilege escalation vulnerability, if exploited, cloud allow a local OS-authenticated user with standard privileges to escalate to System privilege on…
PriorityP340high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.24%
14.5th percentile
This privilege escalation vulnerability, if exploited, cloud allow a local OS-authenticated user with standard privileges to escalate to System privilege on the machine where these products are installed, resulting in complete compromise of the target machine.
Affected
35 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aveva | application_server | <= 2020 R2 SP1 P01 | — |
| aveva | batch_management | < 2020 | 2020 |
| aveva | batch_management | <= 2020 SP1 | — |
| aveva | batch_management | — | — |
| aveva | communication_drivers | < 2020 | 2020 |
| aveva | communication_drivers | — | — |
| aveva | communication_drivers_pack | <= 2020 R2 SP1 | — |
| aveva | edge | <= 20.1.101 | — |
| aveva | enterprise_licensing | <= 3.7.002 | — |
| aveva | historian | < 2020 | 2020 |
| aveva | historian | <= 2020 R2 SP1 P01 | — |
| aveva | historian | — | — |
| aveva | intouch | < 2020 | 2020 |
| aveva | intouch | <= 2020 R2 SP1 P01 | — |
| aveva | intouch | — | — |
| aveva | manufacturing_execution_system | < 2020 | 2020 |
| aveva | manufacturing_execution_system | <= 2020 P01 | — |
| aveva | manufacturing_execution_system | — | — |
| aveva | mobile_operator | < 2020 | 2020 |
| aveva | mobile_operator | <= 2020 R1 | — |
| aveva | mobile_operator | — | — |
| aveva | plant_scada | < 2020 | 2020 |
| aveva | plant_scada | <= 2020 R2 Update 15 | — |
| aveva | plant_scada | — | — |
| aveva | recipe_management | < 2020 | 2020 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
AVEVA Operations Control Logger
cisa_ics·2023-11-14
AVEVA Operations Control Logger
ICS Advisory
##
AVEVA Operations Control Logger
Release DateNovember 14, 2023
Alert CodeICSA-23-318-01
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 7.8
- ATTENTION: Low attack complexity
- Vendor: AVEVA
- Equipment: Operations Control Logger
- Vulnerabilities: Execution with Unnecessary Privileges, External Control of File Name or Path
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow privilege escalation or denial of service.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
AVEVA has created a security update to address vulnerabilities in the AVEVA Operations Control Logger (formerly known as ArchestrA Logger), impacting the following products:
- AVEVA SystemPlatform: 2020 R2 SP1 P01 and prior
- AVEVA Historian: 2020 R
GHSA
GHSA-6v89-cgp3-2347: This privilege escalation vulnerability, if exploited, cloud allow a local OS-authenticated user with standard privileges to escalate to System privil
ghsa_unreviewed·2023-11-15
CVE-2023-33873 [HIGH] CWE-250 GHSA-6v89-cgp3-2347: This privilege escalation vulnerability, if exploited, cloud allow a local OS-authenticated user with standard privileges to escalate to System privil
This privilege escalation vulnerability, if exploited, cloud allow a local OS-authenticated user with standard privileges to escalate to System privilege on the machine where these products are installed, resulting in complete compromise of the target machine.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-11-15
Published