CVE-2022-31216: Drive Composer Link Following Local Privilege Escalation Vulnerability
First published: Wed Jun 15 2022(Updated: )
Vulnerabilities in the Drive Composer allow a low privileged attacker to create and write to a file anywhere on the file system as SYSTEM with arbitrary content as long as the file does not already exist. The Drive Composer installer file allows a low-privileged user to run a "repair" operation on the product.
Credit: cybersecurity@ch.abb.com cybersecurity@ch.abb.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Abb Automation Builder | >=1.1.0<=2.5.0 | |
| Abb Drive Composer | >=2.0<2.7.1 | |
| Abb Drive Composer | >=2.0<2.7.1 | |
| ABB Mint Workbench | <=5866 |
Remedy
The problem is corrected in the following product versions: Drive Composer entry version 2.7.1 Drive Composer pro version 2.7.1 Customers using Drive composer pro integrated in ABB Automation Builder should refer to section “Workarounds” in this document. Mint WorkBench Build 5868 ABB recommends that customers apply the update at earliest convenience. Updated versions of Drive Composer are available immediately. ABB Automation Builder 2.5.1 and Mint WorkBench Build 5868 will be available before or during Q3/2022.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID for this vulnerability?
The vulnerability ID for this vulnerability is CVE-2022-31216.
What is the severity of CVE-2022-31216?
The severity of CVE-2022-31216 is high, with a severity value of 7.8.
What software is affected by CVE-2022-31216?
The affected software includes Abb Automation Builder (versions between 1.1.0 and 2.5.0), Abb Drive Composer (versions between 2.0 and 2.7.1), and Abb Mint Workbench (version 5866).
What can a low privileged attacker do with CVE-2022-31216?
A low privileged attacker can create and write to a file anywhere on the file system as SYSTEM with arbitrary content, as long as the file does not already exist.
Is there a fix for CVE-2022-31216?
Yes, it is recommended to update the affected software to the latest versions available in order to mitigate the vulnerability.
- agent/type
- agent/author
- agent/weakness
- agent/references
- agent/description
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/remedy
- agent/title
- agent/tags
- agent/first-publish-date
- agent/event
- vendor/abb
- canonical/abb automation builder
- version/abb automation builder/1.1.0
- version/abb automation builder/2.5.0
- canonical/abb drive composer
- version/abb drive composer/2.0
- canonical/abb mint workbench
- version/abb mint workbench/5866