An incorrect permission assignment in the TopoGrafix DataPlugin for GPX could result in information disclosure. An attacker could exploit this vulnerability by getting a user to open a specially crafted data file.
This vulnerability is identified as CVE-2023-5136.
NI recommends upgrading the TopoGraphix DataPlugin for GPX to fix against this vulnerability. Refer to the Affected Products section for information on how to get the update.
| Product Version | Mitigation |
|---|---|
| NI DIAdem 2023 Q2 and prior versions | Upgrade to NI DIAdem 2023 Q4 or later or Install TopoGrafix DataPlugin for GPX 2023 Q4 |
| VeriStand 2023 Q4 and prior versions | Install TopoGrafix DataPlugin for GPX 2023 Q4 |
| FlexLogger 2023 Q4 and prior versions | |
The following products are affected only if TopoGrafix DataPlugin for GPX is optionally installed:
| Install TopoGrafix DataPlugin for GPX 2023 Q4 |
CVE-2023-5136 – 5.5 - CVSS:3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
At NI, we view the security of our products as an important part of our commitment to our customers. Go to ni.com/security to stay informed and act upon security alerts and issues.
NI would like to thank kimiya working with Trend Micro Zero Day Initiative for reporting this issue and working with us on coordinated disclosure.