Article - CS312285
Remote code execution vulnerability in Windchill and FlexPLM - Critical
Modified: 26-Sep-2019
Applies To
- Windchill PDMLink 10.0 to 11.1
- FlexPLM 10.1 to 11.1
- Pro/INTRALINK 8.x + 10.0 to 11.1
Description
Windchill 11.2 is not impacted by this issue, however, all other versions of Windchill and FlexPLM are suspected to be at risk.
CVSS: 10.0
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-502 - Deserialization of Untrusted Data
CVSS: 10.0
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-502 - Deserialization of Untrusted Data
- A remote code execution due to deserialization of untrusted data (CWE 502) vulnerability has been identified in Windchill and FlexPLM.
- Compensating network security controls may reduce risk, however, the system still may be susceptible to compromise. All customers are encouraged to utilize only a supported product version and patch.
This is a printer-friendly version of Article 312285 and may be out of date. For the latest version click CS312285