|Summary||Directory Traversal on Zip Archive Usage|
|Last Update||December 13, 2018|
|Versions Impacted||8.3.0 and all prior versions|
|CVE # Link||CVE Mitre|
|Technical Support Link||Directory Traversal on Zip Usage in ThingWorx Platform Prior to 8.3.0|
At PTC, we’re dedicated to working together with our customers and partners to develop and deploy secure IoT platforms. As part of PTC’s ongoing effort to improve product security and communicate clearly about any issues impacting applications dependent on the security of PTC’s products, this vulnerability disclosure is intended to inform users of the ThingWorx platform so that they may determine if further action is required.
The ThingWorx application is vulnerable to a directory traversal attack on zip files.
All application built on affected versions, including other PTC applications, may be vulnerable.
|Affected Versions||Fix Version for This Issue||Minimum Recommended Security Patch Level|
|All Versions Before 7.0.0||7.0.15+||7.4.15+|
|7.0.0 to 7.0.14||7.0.15+||7.4.15+|
|7.1.0 to 7.1.18||7.1.19+||7.4.15+|
|7.2.0 to 7.2.21||7.2.22+||7.4.15+|
|7.3.0 to 7.3.18||7.3.19+||7.4.15+|
|7.4.0 to 7.4.14||7.4.15+||7.4.15+|
|8.0.0 to 8.0.12||8.0.13+||8.0.13+|
|8.1.0 to 8.1.8||8.1.9+||8.1.9+|
|8.2.0 to 8.2.5||8.2.6+||8.2.6+|
There may be technical or other limitations that prevent all fixes from being backported to all older versions. Generally, the latest version of ThingWorx is the most secure. If it is not possible to be on the latest version, PTC recommends the latest Service Pack for the installed version as above.
An attacker can utilize this vulnerability to read files that are normally considered out of bounds by the application. The methods to interact with zip files can be used to read or write arbitrary files.
The fix validates the file path input in the CreateZipArchive service to assure directory traversal is constrained appropriately.
We would like to thank Raymond Doyle at Secureworks for finding and reporting this issue to us.