Loading

Path Traversal and Third-party Vulnerability in DataMosaix™ Private Cloud

Severity:
High,
Critical
Advisory ID:
SD1715
公開日:
January 28, 2025
最終更新日:
January 28, 2025
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
いいえ
Corrected:
はい
Workaround:
いいえ
CVE IDs
CVE-2025-0659,
CVE-2020-11656
ダウンロード
The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:
JSON
JSON
概要

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

Affected Software Version

Corrected in Software Version

DataEdgePlatform DataMosaix™ Private Cloud

CVE-2025-0659

<=7.11

7.11.01

DataEdgePlatform DataMosaix™ Private Cloud

CVE-2020-11656 

<=7.09

7.11.01

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

 CVE-2025-0659 IMPACT

A path traversal vulnerability exists in the affected product. By specifying the character sequence in the body of the vulnerable endpoint, it is possible to overwrite files outside of the intended directory. A threat actor with admin privileges could leverage this vulnerability to overwrite reports including user projects.

CVSS 3.1 Base Score: 5.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N

CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

CWE: 200 - Exposure of Sensitive Information to an unauthorized Actor
Known Exploited Vulnerability (KEV) database: No

CVE-2020-11656 IMPACT

The affected product utilizes SQLite, which contains a use after free vulnerability in the ALTER TABLE implementation, which was demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: 1395 - Dependency on Vulnerable third-party Component
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left ロックウェル・オートメーションのホーム Chevron RightChevron Right
  2. Chevron LeftChevron Left Trust & Security Chevron RightChevron Right
  3. Chevron LeftChevron Left Industrial Security Adv Chevron RightChevron Right
  4. Chevron LeftChevron Left Industrial Security Advisory Detail Chevron RightChevron Right
を続行するには、クッキーの設定を更新してください.
この機能には、お客様の利便性を向上させるためにクッキーが必要です。これらのクッキーを許可するように設定を更新してください:
  • ソーシャルメディア・クッキー
  • 機能性クッキー
  • パフォーマンスクッキー
  • マーケティングクッキー
  • 全てのクッキー
いつでも設定を更新することができます。詳しくは{0}をご覧ください プライバシーポリシー
CloseClose