CVE-2023-34982 — External Control of File Name or Path in Manufacturing Execution System

CWE-73 — External Control of File Name or Path CWE-610 — Externally Controlled Reference to a Resource in Another Sphere3 documents3 sources

Severity

7.1HIGHNVD

CNA5.5

EPSS

0.1%

top 74.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Aveva Batch Management Aveva Communication Drivers Aveva Historian +14 more

Timeline

PublishedNov 15

Description

This external control vulnerability, if exploited, could allow a local OS-authenticated user with standard privileges to delete files with System privilege on the machine where these products are installed, resulting in denial of service.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:HExploitability: 1.8 | Impact: 5.2

Affected Packages27 packages

▶NVDaveva/system_platform< 2020+1

▶NVDaveva/manufacturing_execution_system< 2020+1

▶CVEListV5aveva/systemplatform2020 R2 SP1 P01

▶CVEListV5aveva/manufacturing_execution_system2020 P01

▶NVDaveva/intouch< 2020+1

🔴Vulnerability Details

CVEList

AVEVA Operations Control Logger External Control of File Name or Path↗2023-11-15

▶

GHSA

GHSA-rv48-qr4w-frqj: This external control vulnerability, if exploited, could allow a local OS-authenticated user with standard privileges to delete files with System priv↗2023-11-15

▶