high
7.1
CWE
73 610
Advisory Published
Updated

CVE-2023-34982: AVEVA Operations Control Logger External Control of File Name or Path

First published: Wed Nov 15 2023(Updated: )

This external control vulnerability, if exploited, could allow a local OS-authenticated user with standard privileges to delete files with System privilege on the machine where these products are installed, resulting in denial of service.

Credit: ics-cert@hq.dhs.gov

Affected SoftwareAffected VersionHow to fix
Aveva Batch Management<2020
Aveva Batch Management=2020
Aveva Batch Management=2020-sp1
AVEVA Communication Drivers Pack<2020
AVEVA Communication Drivers Pack=2020
AVEVA Communication Drivers Pack=2020-r2
AVEVA Communication Drivers Pack=2020-r2_p01
AVEVA Edge 2020 R2 SP1<=20.1.101
AVEVA Enterprise Licensing<=3.7.002
AVEVA Historian Server<2020
AVEVA Historian Server=2020
AVEVA Historian Server=2020-r2
AVEVA Historian Server=2020-r2_p01
AVEVA InTouch 2020<2020
AVEVA InTouch 2020=2020
AVEVA InTouch 2020=2020-r2
AVEVA InTouch 2020=2020-r2_p01
Aveva Manufacturing Execution System<2020
Aveva Manufacturing Execution System=2020
Aveva Manufacturing Execution System=2020-p01
AVEVA Mobile Operator<2020
AVEVA Mobile Operator=2020
AVEVA Mobile Operator=2020
AVEVA Mobile Operator=2020-r1
AVEVA Plant SCADA<2020
AVEVA Plant SCADA=2020
AVEVA Plant SCADA=2020-r2
AVEVA Recipe Management<2020
AVEVA Recipe Management=2020
AVEVA Recipe Management=2020-update_1_patch_2
Wonderware System Platform<2020
Wonderware System Platform=2020
Wonderware System Platform=2020-r2
Wonderware System Platform=2020-r2_p01
AVEVA Telemetry Server 2020 R2 SP1=2020r2
AVEVA Telemetry Server 2020 R2 SP1=2020r2-sp1
AVEVA Worktasks<2020
AVEVA Worktasks=2020
AVEVA Worktasks=2020-update_1
AVEVA Worktasks=2020-update_2

Remedy

AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Users of affected products should apply security updates as soon as possible. In addition to applying security updates, users should follow these general precautions: * Ensure that Guest or Anonymous local OS accounts are disabled. * Ensure that only trusted users are able to login on the nodes where the Operations Control Logger is running. Please see AVEVA Security Bulletin number AVEVA-2023-003 https://www.aveva.com/en/support-and-success/cyber-security-updates/  for more information and for links for individual security updates and mitigations for each of the affected products. AVEVA System Platform 2020 through 2020 R2 SP1 cannot be newly installed on top of other AVEVA products which have been previously patched with the Operations Control Logger v22.1. For additional details please refer to Alert 000038736. https://softwaresupportsp.aveva.com/#/knowledgebase/details/000038736

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2023-34982?

    CVE-2023-34982 has a high severity rating due to its potential for local authenticated users to delete files with system privileges.

  • How do I fix CVE-2023-34982?

    To remediate CVE-2023-34982, apply the latest security patches provided by Aveva for the affected software versions.

  • What products are affected by CVE-2023-34982?

    CVE-2023-34982 affects various Aveva products including Batch Management, Communication Drivers, Edge, Historian, and System Platform.

  • Can CVE-2023-34982 lead to a denial of service?

    Yes, exploiting CVE-2023-34982 can result in denial of service by allowing unauthorized file deletions.

  • Who is vulnerable to CVE-2023-34982?

    Local OS-authenticated users with standard privileges are vulnerable to the exploitation of CVE-2023-34982.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203