CVE-2023-31166

An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to create folders in arbitrary paths of the file system. See SEL Service Bulletin dated 2022-11-15 for more details.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://selinc.com/support/security-notifications/external-reports/	Vendor Advisory
https://www.nozominetworks.com/blog/	Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:selinc:sel-2241_rtac_module_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:selinc:sel-2241_rtac_module:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:selinc:sel-3350_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:selinc:sel-3350:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:selinc:sel-3505_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:selinc:sel-3505:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:selinc:sel-3505-3_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:selinc:sel-3505-3:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:selinc:sel-3530_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:selinc:sel-3530:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:selinc:sel-3530-4_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:selinc:sel-3530-4:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:selinc:sel-3532_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:selinc:sel-3532:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:o:selinc:sel-3555_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:selinc:sel-3555:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND

cpe:2.3:o:selinc:sel-3560e_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:selinc:sel-3560e:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND

cpe:2.3:o:selinc:sel-3560s_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:selinc:sel-3560s:-:*:*:*:*:*:*:*

History

17 May 2023, 17:11

Type	Values Removed	Values Added
CPE		cpe:2.3:o:selinc:sel-3350_firmware:::::::: cpe:2.3:o:selinc:sel-3560s_firmware:::::::: cpe:2.3:h:selinc:sel-3505-3:-:::::::* cpe:2.3:h:selinc:sel-3560s:-:::::::* cpe:2.3:o:selinc:sel-3530-4_firmware:::::::: cpe:2.3:o:selinc:sel-3555_firmware:::::::: cpe:2.3:o:selinc:sel-3560e_firmware:::::::: cpe:2.3:h:selinc:sel-3555:-:::::::* cpe:2.3:h:selinc:sel-3560e:-:::::::* cpe:2.3:h:selinc:sel-3505:-:::::::* cpe:2.3:h:selinc:sel-3530-4:-:::::::* cpe:2.3:o:selinc:sel-3530_firmware:::::::: cpe:2.3:h:selinc:sel-3350:-:::::::* cpe:2.3:o:selinc:sel-3505_firmware:::::::: cpe:2.3:h:selinc:sel-3530:-:::::::* cpe:2.3:o:selinc:sel-2241_rtac_module_firmware:::::::: cpe:2.3:o:selinc:sel-3532_firmware:::::::: cpe:2.3:h:selinc:sel-2241_rtac_module:-:::::::* cpe:2.3:o:selinc:sel-3505-3_firmware:::::::: cpe:2.3:h:selinc:sel-3532:-:::::::*
References	~~(MISC) https://www.nozominetworks.com/blog/ -~~	(MISC) https://www.nozominetworks.com/blog/ - Third Party Advisory
References	~~(MISC) https://selinc.com/support/security-notifications/external-reports/ -~~	(MISC) https://selinc.com/support/security-notifications/external-reports/ - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3
CWE		CWE-22

10 May 2023, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-05-10 20:15

Updated : 2024-02-04 23:37

NVD link : CVE-2023-31166

Mitre link : CVE-2023-31166

CVE.ORG link : CVE-2023-31166

JSON object : View

Products Affected

selinc

sel-3555
sel-3532
sel-3350_firmware
sel-3560e_firmware
sel-3505-3_firmware
sel-3530
sel-3505-3
sel-3560s
sel-3350
sel-3530-4_firmware
sel-2241_rtac_module_firmware
sel-3560e
sel-3532_firmware
sel-3505
sel-3530-4
sel-3555_firmware
sel-3560s_firmware
sel-3530_firmware
sel-3505_firmware
sel-2241_rtac_module

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

4.3 /10