// For flags

CVE-2021-27471

Rockwell Automation Connected Components Workbench Path Traversal

Severity Score

8.6
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The parsing mechanism that processes certain file types does not provide input sanitization for file paths. This may allow an attacker to craft malicious files that, when opened by Rockwell Automation Connected Components Workbench v12.00.00 and prior, can traverse the file system. If successfully exploited, an attacker could overwrite existing files and create additional files with the same permissions of the Connected Components Workbench software. User interaction is required for this exploit to be successful.

El mecanismo de análisis sintáctico que procesa determinados tipos de archivos no proporciona saneo de entrada para las rutas de archivos. Esto puede permitir a un atacante diseñar archivos maliciosos que, cuando son abiertos por Rockwell Automation Connected Components Workbench versiones v12.00.00 y anteriores, pueden atravesar el sistema de archivos. Si es explotado con éxito, un atacante podría sobrescribir los archivos existentes y crear archivos adicionales con los mismos permisos del software Connected Components Workbench. Es requerida una interacción del usuario para que esta explotación tenga éxito

*Credits: Mashav Sapir of Claroty reported these vulnerabilities to Rockwell Automation.
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-02-19 CVE Reserved
  • 2022-03-23 CVE Published
  • 2024-08-03 CVE Updated
  • 2024-11-10 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (1)
URL Tag Source
https://www.cisa.gov/uscert/ics/advisories/icsa-21-133-01 Third Party Advisory
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Rockwellautomation
Search vendor "Rockwellautomation"
 Connected Components Workbench
Search vendor "Rockwellautomation" for product "Connected Components Workbench"
 <= 12.00.00
Search vendor "Rockwellautomation" for product "Connected Components Workbench" and version " <= 12.00.00"
-
Affected