CVE-2022-43514

Description

A vulnerability has been identified in Automation License Manager V5 (All versions), Automation License Manager V6 (All versions < V6.0 SP9 Upd4), TeleControl Server Basic V3 (All versions < V3.1.2). The affected component does not correctly validate the root path on folder related operations, allowing to modify files and folders outside the intended root directory. This could allow an unauthenticated remote attacker to execute file operations of files outside of the specified root folder. Chained with CVE-2022-43513 this could allow Remote Code Execution.

References

Link	Tags
https://cert-portal.siemens.com/productcert/pdf/ssa-476715.pdf	vendor advisory
https://cert-portal.siemens.com/productcert/html/ssa-476715.html
https://cert-portal.siemens.com/productcert/html/ssa-556635.html

Frequently Asked Questions

What is the severity of CVE-2022-43514?: CVE-2022-43514 has been scored as a high severity vulnerability.
How to fix CVE-2022-43514?: To fix CVE-2022-43514, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-43514 being actively exploited in the wild?: It is possible that CVE-2022-43514 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-43514?: CVE-2022-43514 affects Siemens Automation License Manager V5, Siemens Automation License Manager V6, Siemens TeleControl Server Basic V3.

Description

Category

CWE-22 – Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

References

Frequently Asked Questions