Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2021-22281
PUBLISHED
More InfoOfficial Page
Assigner-ABB
Assigner Org ID-2b718523-d88f-4f37-9bbd-300c20644bf9
View Known Exploited Vulnerability (KEV) details
Published At-02 Feb, 2024 | 07:24
Updated At-21 Aug, 2024 | 17:32
Rejected At-
▼CVE Numbering Authority (CNA)
Zip Slip Vulnerability in B&R Automation Studio Project Import

: Relative Path Traversal vulnerability in B&R Industrial Automation Automation Studio allows Relative Path Traversal.This issue affects Automation Studio: from 4.0 through 4.12.

Affected Products
Vendor
B&R Industrial Automation GmbHB&R Industrial Automation
Product
Automation Studio
Default Status
unaffected
Versions
Affected
  • From 4.0 through 4.12 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-23CWE-23: Relative Path Traversal
Type: CWE
CWE ID: CWE-23
Description: CWE-23: Relative Path Traversal
Metrics
VersionBase scoreBase severityVector
3.16.3MEDIUM
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
Version: 3.1
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-139CAPEC-139 Relative Path Traversal
CAPEC ID: CAPEC-139
Description: CAPEC-139 Relative Path Traversal
Solutions
Configurations
Workarounds

B&R recommends the following specific workarounds and mitigations: Open only B&R Automation Studio project files from trusted source. Use encrypted export of B&R Automation Studio project files, thus only allowing access to legitimate users. Protect locations where B&R Automation Studio projects are stored from unauthorized access. This includes PLCs, when using the feature to back up project source files on target. Do not run B&R Automation Studio in elevated mode. Make sure, that Windows User Access Control (UAC) is enabled. Verify integrity of B&R Automation Studio project files, which are exchanged via potentially insecure channels In general, B&R recommends implementing the Cyber Security guidelines

Exploits
Credits
finder
B&R would like to thank the following for working with us to help protect our customers: Mr. Mashav Sapir of Claroty, Mr. Andrew Hofmans
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.br-automation.com/fileadmin/2021-11_ZipSlip_Vulnerability_in_Automation_Studio_Project_Import-b90d2f42.pdf
N/A
Hyperlink: https://www.br-automation.com/fileadmin/2021-11_ZipSlip_Vulnerability_in_Automation_Studio_Project_Import-b90d2f42.pdf
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.br-automation.com/fileadmin/2021-11_ZipSlip_Vulnerability_in_Automation_Studio_Project_Import-b90d2f42.pdf
x_transferred
Hyperlink: https://www.br-automation.com/fileadmin/2021-11_ZipSlip_Vulnerability_in_Automation_Studio_Project_Import-b90d2f42.pdf
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found