Vulnerability Details CVE-2012-6069
The CoDeSys Runtime Toolkit’s file transfer functionality does not
perform input validation, which allows an attacker to access files and
directories outside the intended scope. This may allow an attacker to
upload and download any file on the device. This could allow the
attacker to affect the availability, integrity, and confidentiality of
the device.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.022
EPSS Ranking 83.9%
CVSS Severity
CVSS v3 Score 10.0
CVSS v2 Score 10.0
References
- http://www.codesys.com/news-events/press-releases/detail/article/sicherheitsluecke-in-codesys-v23-laufzeitsystem.html
- http://www.digitalbond.com/tools/basecamp/3s-codesys/
- https://us.codesys.com/ecosystem/security/
- https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-01
- https://www.cisa.gov/news-events/ics-advisories/icsa-14-084-01
- http://ics-cert.us-cert.gov/advisories/ICSA-14-084-01
- http://www.codesys.com/news-events/press-releases/detail/article/sicherheitsluecke-in-codesys-v23-laufzeitsystem.html
- http://www.digitalbond.com/tools/basecamp/3s-codesys/
- http://www.securityfocus.com/bid/56300
- http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-01.pdf
Products affected by CVE-2012-6069
-
cpe:2.3:a:3s-software:codesys_runtime_system:2.3.9.35
-
cpe:2.3:a:3s-software:codesys_runtime_system:2.3.9.36
-
cpe:2.3:a:3s-software:codesys_runtime_system:2.3.9.37
-
cpe:2.3:a:3s-software:codesys_runtime_system:2.3.9.8
-
cpe:2.3:a:3s-software:codesys_runtime_system:2.4.0