CVE-2023-34982 – AVEVA Operations Control Logger External Control of File Name or Path
https://notcve.org/view.php?id=CVE-2023-34982
This external control vulnerability, if exploited, could allow a local OS-authenticated user with standard privileges to delete files with System privilege on the machine where these products are installed, resulting in denial of service. Esta vulnerabilidad de control externo, si se explota, podría permitir que un usuario local autenticado en el sistema operativo con privilegios estándar elimine archivos con privilegios de sistema en la máquina donde están instalados estos productos, lo que resultaría en una denegación de servicio. • https://www.aveva.com/en/support-and-success/cyber-security-updates https://www.cisa.gov/news-events/ics-advisories/icsa-23-318-01 • CWE-73: External Control of File Name or Path CWE-610: Externally Controlled Reference to a Resource in Another Sphere •
CVE-2023-33873 – AVEVA Operations Control Logger Execution with Unnecessary Privileges
https://notcve.org/view.php?id=CVE-2023-33873
This privilege escalation vulnerability, if exploited, cloud allow a local OS-authenticated user with standard privileges to escalate to System privilege on the machine where these products are installed, resulting in complete compromise of the target machine. Esta vulnerabilidad de escalada de privilegios, si se explota, en la nube permite que un usuario local autenticado en el sistema operativo con privilegios estándar escale a privilegios del sistema en la máquina donde están instalados estos productos, lo que resulta en un compromiso total de la máquina de destino. • https://www.aveva.com/en/support-and-success/cyber-security-updates https://www.cisa.gov/news-events/ics-advisories/icsa-23-318-01 • CWE-250: Execution with Unnecessary Privileges •
CVE-2021-33008 – AVEVA System Platform Missing Authentication for Critical Function
https://notcve.org/view.php?id=CVE-2021-33008
AVEVA System Platform versions 2017 through 2020 R2 P01 does not perform any authentication for functionality that requires a provable user identity. AVEVA System Platform versiones 2017 hasta 2020 R2 P01, no llevan a cabo ninguna autenticación para la funcionalidad que requiere una identidad de usuario demostrable • https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-002.pdf https://www.cisa.gov/uscert/ics/advisories/icsa-21-180-05 • CWE-306: Missing Authentication for Critical Function •
CVE-2021-32981 – AVEVA System Platform Path Traversal
https://notcve.org/view.php?id=CVE-2021-32981
AVEVA System Platform versions 2017 through 2020 R2 P01 uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. AVEVA System Platform versiones 2017 hasta 2020 R2 P01, usa una entrada externa para construir un nombre de ruta que pretende identificar un archivo o directorio que es encontrado debajo de un directorio principal restringido, pero el software no neutraliza apropiadamente los elementos especiales dentro del nombre de ruta que pueden causar que el nombre de ruta sea resuelto a una ubicación que está fuera del directorio restringido • https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-002.pdf https://www.cisa.gov/uscert/ics/advisories/icsa-21-180-05 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2021-32985 – AVEVA System Platform Origin Validation Error
https://notcve.org/view.php?id=CVE-2021-32985
AVEVA System Platform versions 2017 through 2020 R2 P01 does not properly verify that the source of data or communication is valid. AVEVA System Platform versiones 2017 hasta 2020 R2 P01, no comprueba correctamente que la fuente de datos o comunicación sea válida • https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-002.pdf https://www.cisa.gov/uscert/ics/advisories/icsa-21-180-05 • CWE-346: Origin Validation Error •