Login Sign Up

CVE-2023-2913

7.5 HIGH
Path Traversal

📋 TL;DR

A path traversal vulnerability in Rockwell Automation ThinManager ThinServer allows remote attackers to read arbitrary files on the server's file system when the API feature is enabled. This affects systems where the optional API is manually enabled in HTTPS Server Settings. The vulnerability leverages server privileges to access sensitive files.

💻 Affected Systems

Products:
  • Rockwell Automation ThinManager ThinServer
Versions: Specific versions not detailed in advisory, but all versions with vulnerable API feature
Operating Systems: Windows
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when API feature is manually enabled in HTTPS Server Settings (disabled by default)

📦 What is this software?

Thinmanager by Rockwellautomation

View all CVEs affecting Thinmanager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of server file system, exposure of sensitive configuration files, credentials, and proprietary data leading to operational disruption and data theft.

🟠

Likely Case

Unauthorized reading of configuration files, logs, and potentially sensitive operational data stored on the server.

🟢

If Mitigated

Limited impact due to API being disabled by default and proper network segmentation preventing external access.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires API to be enabled and involves manipulating path variables in requests

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in advisory, refer to vendor update

Vendor Advisory: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1140160

Restart Required: Yes

Instructions:

1. Apply latest ThinManager ThinServer update from Rockwell Automation. 2. Restart the service. 3. Verify API functionality if required.

🔧 Temporary Workarounds

Disable API Feature

windows

Disable the vulnerable API feature in HTTPS Server Settings

Navigate to ThinServer configuration > HTTPS Server Settings > Disable API feature

Network Segmentation

all

Restrict network access to ThinServer to trusted networks only

Configure firewall rules to limit inbound connections to ThinServer ports

🧯 If You Can't Patch

  • Ensure API feature remains disabled in HTTPS Server Settings
  • Implement strict network access controls and segment ThinServer from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check ThinServer configuration to see if API feature is enabled in HTTPS Server Settings

Check Version:

Check ThinServer About or version information in application interface

Verify Fix Applied:

Verify API feature is disabled or latest patched version is installed and test path traversal attempts

📡 Detection & Monitoring

Log Indicators:

  • Unusual file access patterns in ThinServer logs
  • HTTP requests with manipulated path parameters to API endpoints

Network Indicators:

  • HTTP requests containing path traversal sequences (../) to ThinServer API

SIEM Query:

source="thinserver" AND (uri="*../*" OR method="GET" AND uri="*/api/*")

📊 Metadata

CVE ID: CVE-2023-2913
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-23
Published: July 18, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-2913, you might also want to check these:

CVE-2024-24578 10.0

CVE-2024-24578 is an unauthenticated remote code execution vulnerability in RaspberryMatic/OCCU IoT ...

Same vulnerability type (CWE-23)
CVE-2023-3701 9.9

Aqua Drive version 2.4 has a relative path traversal vulnerability that allows authenticated users t...

Same vulnerability type (CWE-23)
CVE-2024-3025 9.9

This path traversal vulnerability in mintplex-labs/anything-llm allows attackers to read or delete f...

Same vulnerability type (CWE-23)