Article - CS385715

Security vulnerabilities identified in ThingWorx Edge C-SDK 2.2.12.1052 or lower

Modified: 31-Mar-2023   


Applies To

  • ThingWorx Kepware Edge 1.0 to 1.5
  • ThingWorx C-SDK 2.2.12.1052 or lower
  • ThingWorx Edge MicroServer (EMS) 5.4.10.0 or lower
  • ThingWorx .NET-SDK 5.8.4.971 or lower
  • ThingWorx Kepware Server (formerly ThingWorx Industrial Connectivity) 6.12 or lower
  • Kepware KEPServerEX 6.0 to 6.12
  • Rockwell Automation KEPServer Enterprise 6.10 to 6.12
  • GE Digital Industrial Gateway Server 7.62 to 7.612

Description

  • Impact of CVE-2023-0754 and CVE-2023-0755 on the ThingWorx Edge C-SDK
  • What PTC products are impacted by CVE-2023-0754 and CVE-2023-0755
  • Mitigation of the CVE-2023-0754 and CVE-2023-0755 in the ThingWorx Edge C-SDK
 
  • Vulnerability Details
    • CVE-2023-0755
      • CVSS 3.1 Score: 9.8 Critical
      • CVSS 3.1 Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
      • CWE: CWE-129 Improper Validation of Array Index 
      • This vulnerability could allow an attacker to crash the server and remotely execute code.
      • Common Vulnerabilities and Exposures: CVE-2023-0755 has been assigned to this vulnerability
      • Researcher Attribution: Chris Anastasio and Steven Seeley of Incite Team
    • CVE-2023-0754
      • CVSS 3.1 Score: 9.8 Critical
      • CVSS 3.1 Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
      • CWE: CWE-190: Integer Overflow or Wraparound
      • This vulnerability could allow an attacker to crash the server and remotely execute code.
      • Common Vulnerabilities and Exposures: CVE-2023-0754 has been assigned to this vulnerability.
      • Researcher Attribution: Chris Anastasio and Steven Seeley of Incite Team
This is a printer-friendly version of Article 385715 and may be out of date. For the latest version click CS385715