SB2022112309 - Multiple vulnerabilities in AVEVA Edge
Published: November 23, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2016-2542)
The vulnerability allows a local authenticated user to execute arbitrary code.
Untrusted search path vulnerability in Flexera InstallShield through 2015 SP1 allows local users to gain privileges via a Trojan horse DLL in the current working directory of a setup-launcher executable file. CWE-426: Untrusted Search Path - http://cwe.mitre.org/data/definitions/426.html
2) Information disclosure (CVE-ID: CVE-2021-42794)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote attacker can gain unauthorized access to sensitive information on the system.
3) Improper access control (CVE-ID: CVE-2021-42796)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote attacker can bypass implemented security restrictions and execute arbitrary commands with the security context of the StADOSvr.exe process.
4) Path traversal (CVE-ID: CVE-2021-42797)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
Remediation
Install update from vendor's website.