VDE-2022-045

Vulnerability from csaf_pilzgmbhcokg - Published: 2022-11-24 09:00 - Updated: 2025-05-22 13:03
Summary
Pilz: PAS 4000 prone to ZipSlip
Notes
Summary: PAS4000 is the software platform for the Automation System PSS 4000. PAS 4000 does not properly check pathnames contained in archives. An attacker can utilise this vulnerability to write arbitrary files, potentially leading to code execution.
Impact: PAS 4000 uses ZIP archives to save and load project backups and libraries. Also, ZIP archives are used as a container for firmware updates. When loading a ZIP archive the contained pathnames are not checked properly for relative path components. If a user loads a manipulated ZIP archive, the vulnerability can be used to place potentially malicious files outside of the application's working directory. Depending on the user's privileges this can lead to code execution.
Remediation: Install the fixed version as soon as it is available. Please visit the Pilz Shop (www.pilz.com/en-INT/eshop) to check for the fixed version
General Countermeasures: Do not use .zip or .par files from untrusted sources. If you need to load a file from an untrusted source, please contact your local Pilz support.
CVE-2022-40976

A path traversal vulnerability was discovered in multiple Pilz products. An unauthenticated local attacker could use a zipped, malicious configuration file to trigger arbitrary file writes ('zip-slip'). File writes do not affect confidentiality or availability.

5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Vendor Fix Install the fixed version as soon as it is available. Please visit the Pilz Shop (www.pilz.com/en-INT/eshop) to check for the fixed version
CVE-2018-1002202

zip4j before 1.3.3 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

6.5 (Medium)
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Vendor Fix Install the fixed version as soon as it is available. Please visit the Pilz Shop (www.pilz.com/en-INT/eshop) to check for the fixed version
References
Acknowledgments
CERT@VDE certvde.com
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "PAS4000 is the software platform for the Automation System PSS 4000.\u00a0PAS 4000 does not properly check pathnames contained in archives. An attacker can utilise this vulnerability to write arbitrary files, potentially leading to code execution.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "PAS 4000 uses ZIP archives to save and load project backups and libraries. Also, ZIP archives are used as a container for firmware updates. \n\nWhen loading a ZIP archive the contained pathnames are not checked properly for relative path components. If a user loads a manipulated ZIP archive, the vulnerability can be used to place potentially malicious files outside of the application\u0027s working directory. \n\nDepending on the user\u0027s privileges this can lead to code execution.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "Install the fixed version as soon as it is available. Please visit the Pilz Shop (www.pilz.com/en-INT/eshop) to check for the fixed version",
        "title": "Remediation"
      },
      {
        "category": "general",
        "text": "Do not use .zip or .par files from untrusted sources. If you need to load a file from an\nuntrusted source, please contact your local Pilz support.",
        "title": "General Countermeasures"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "security@pilz.com",
      "name": "Pilz GmbH \u0026 Co. KG",
      "namespace": "https://www.pilz.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "VDE-2022-045: Pilz: PAS 4000 prone to ZipSlip - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2022-045/"
      },
      {
        "category": "self",
        "summary": "VDE-2022-045: Pilz: PAS 4000 prone to ZipSlip - CSAF",
        "url": "https://pilz.csaf-tp.certvde.com/.well-known/csaf/white/2022/vde-2022-045.json"
      },
      {
        "category": "external",
        "summary": "Vendor PSIRT",
        "url": "https://www.pilz.com"
      },
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for Pilz GmbH \u0026 Co. KG",
        "url": "https://certvde.com/en/advisories/vendor/pilz/"
      }
    ],
    "title": "Pilz: PAS 4000 prone to ZipSlip",
    "tracking": {
      "aliases": [
        "VDE-2022-045"
      ],
      "current_release_date": "2025-05-22T13:03:10.000Z",
      "generator": {
        "date": "2025-05-05T12:03:38.525Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.24"
        }
      },
      "id": "VDE-2022-045",
      "initial_release_date": "2022-11-24T09:00:00.000Z",
      "revision_history": [
        {
          "date": "2022-11-24T09:00:00.000Z",
          "number": "1",
          "summary": "Initial revision."
        },
        {
          "date": "2025-05-22T13:03:10.000Z",
          "number": "2",
          "summary": "Fix: quotation mark"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "\u003c1.25.0",
                    "product": {
                      "name": "PAS4000 \u003c1.25.0",
                      "product_id": "CSAFPID-51001"
                    }
                  }
                ],
                "category": "product_name",
                "name": "PAS4000"
              }
            ],
            "category": "product_family",
            "name": "Software"
          }
        ],
        "category": "vendor",
        "name": "Pilz"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-40976",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "notes": [
        {
          "category": "description",
          "text": "A path traversal vulnerability was discovered in multiple Pilz products. An unauthenticated local attacker could use a zipped, malicious configuration file to trigger arbitrary file writes (\u0027zip-slip\u0027). File writes do not affect confidentiality or availability.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-51001"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Install the fixed version as soon as it is available. Please visit the Pilz Shop (www.pilz.com/en-INT/eshop) to check for the fixed version",
          "product_ids": [
            "CSAFPID-51001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "environmentalScore": 5.5,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 5.5,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-51001"
          ]
        }
      ],
      "title": "CVE-2022-40976"
    },
    {
      "cve": "CVE-2018-1002202",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "notes": [
        {
          "category": "description",
          "text": "zip4j before 1.3.3 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as \u0027Zip-Slip\u0027.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-51001"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Install the fixed version as soon as it is available. Please visit the Pilz Shop (www.pilz.com/en-INT/eshop) to check for the fixed version",
          "product_ids": [
            "CSAFPID-51001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "environmentalScore": 6.5,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 6.5,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-51001"
          ]
        }
      ],
      "title": "CVE-2018-1002202"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.