{"api_version":"1","generated_at":"2026-04-23T06:44:40+00:00","cve":"CVE-2021-34597","urls":{"html":"https://cve.report/CVE-2021-34597","api":"https://cve.report/api/cve/CVE-2021-34597.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-34597","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-34597"},"summary":{"title":"CVE-2021-34597","description":"Improper Input Validation vulnerability in PC Worx Automation Suite of Phoenix Contact up to version 1.88 could allow an attacker with a manipulated project file to unpack arbitrary files outside of the selected project directory.","state":"PUBLIC","assigner":"info@cert.vde.com","published_at":"2021-11-04 10:15:00","updated_at":"2021-11-08 13:55:00"},"problem_types":["CWE-20"],"metrics":[],"references":[{"url":"https://cert.vde.com/en/advisories/VDE-2021-052/","name":"https://cert.vde.com/en/advisories/VDE-2021-052/","refsource":"CONFIRM","tags":[],"title":"VDE-2021-052 | CERT@VDE","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-34597","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-34597","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"The vulnerability was discovered by Jake Baines of Dragos Inc. We kindly appreciate the coordinated disclosure of these vulnerabilities by the finder.","lang":""},{"source":"LEGACY","value":"PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication.","lang":""}],"nvd_cpes":[{"cve_year":"2021","cve_id":"34597","vulnerable":"1","versionEndIncluding":"1.88","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"phoenixcontact","cpe5":"pc_worx","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"34597","vulnerable":"1","versionEndIncluding":"1.88","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"phoenixcontact","cpe5":"pc_worx_express","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"info@cert.vde.com","DATE_PUBLIC":"2021-11-03T08:54:00.000Z","ID":"CVE-2021-34597","STATE":"PUBLIC","TITLE":"Phoenix Contact: PC Worx/-Express prone to improper input validation vulnerability"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"PC Worx","version":{"version_data":[{"version_affected":"<=","version_name":"PC Worx","version_value":"1.88"},{"version_affected":"<=","version_name":"PC Worx-Express","version_value":"1.88"}]}}]},"vendor_name":"Phoenix Contact"}]}},"credit":[{"lang":"eng","value":"The vulnerability was discovered by Jake Baines of Dragos Inc. We kindly appreciate the coordinated disclosure of these vulnerabilities by the finder.  "},{"lang":"eng","value":"PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication."}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Improper Input Validation vulnerability in PC Worx Automation Suite of Phoenix Contact up to version 1.88 could allow an attacker with a manipulated project file to unpack arbitrary files outside of the selected project directory."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-20 Improper Input Validation"}]}]},"references":{"reference_data":[{"name":"https://cert.vde.com/en/advisories/VDE-2021-052/","refsource":"CONFIRM","url":"https://cert.vde.com/en/advisories/VDE-2021-052/"}]},"solution":[{"lang":"eng","value":"With the next version of Automation Worx Software Suite additional plausibility checks for archive content will be implemented."}],"source":{"advisory":"VDE-2021-052","discovery":"EXTERNAL"},"work_around":[{"lang":"eng","value":"Temporary Fix / Mitigation\nWe strongly recommend customers to exchange project files only using secure file exchange services. Project files should not be exchanged via unencrypted email.\nIn addition, we recommend exchanging or storing project files together with a checksum to ensure their integrity."}]},"nvd":{"publishedDate":"2021-11-04 10:15:00","lastModifiedDate":"2021-11-08 13:55:00","problem_types":["CWE-20"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:phoenixcontact:pc_worx:*:*:*:*:*:*:*:*","versionEndIncluding":"1.88","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:phoenixcontact:pc_worx_express:*:*:*:*:*:*:*:*","versionEndIncluding":"1.88","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"34597","Ordinal":"210062","Title":"CVE-2021-34597","CVE":"CVE-2021-34597","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"34597","Ordinal":"1","NoteData":"Improper Input Validation vulnerability in PC Worx Automation Suite of Phoenix Contact up to version 1.88 could allow an attacker with a manipulated project file to unpack arbitrary files outside of the selected project directory.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"34597","Ordinal":"2","NoteData":"2021-11-04","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"34597","Ordinal":"3","NoteData":"2021-11-04","Type":"Other","Title":"Modified"}]}}}