Try UiPath Free
Try UiPath Free
All
uipath.com
Forum
Docs
Close

Close

Security

UiPath Security Advisories & Bulletins

UIPATH PRODUCT SECURITY

Please find a list of product security advisories for UiPath below.

  • UIPS-2021-001 - Security Advisory - UiPath Assistant - Content injection via URI handler

    Title: UiPath Assistant - Content injection via URI handler

    Publish Date: Dec 7, 2021

    Version: 1.0

    General Information

    Affected Versions:

    • Assistant 2021.4 to 2021.4.5

    • Assistant 2021.10 to 2021.10.3

    CVSS Score: 4.7

    Details: An issue was fixed in one command line parameter, the process name, which was reflected in the user interface of Assistant. The functionality allowed users to see details regarding the process name when they encountered an error. It was possible for a malicious web page to open the desktop application and to input arbitrary text which was displayed in the user interface of the Assistant.

    Release Notes:

    Download Links:

    Suggested Actions:

    Update to latest Assistant patches available: 2021.4 and 2021.10

    The issue is not directly exploitable, it requires opening a malicious link and confirming the browser dialog asking the user to open a custom link with UiPath Assistant.

    If you have any questions please send an email to security.notifications@uipath.com or submit a ticket here.

  • UIPS-2021-002 - Security Advisory - UiPath Assistant - Remote Code Execution

    Title: UiPath Assistant - Remote Code Execution

    Publish Date: Dec 7, 2021

    Version: 1.0

    General Information

    Affected Versions:

    • Assistant 2021.4 to 2021.4.5

    • Assistant 2021.10 to 2021.10.3

    CVSS Score: 8.3

    Details:

    An issue was fixed in the processing of user-supplied widget identification command line parameters.

    The functionality allowed users to develop and run Assistant widgets from the command line.

    It was possible for a malicious web page to open the desktop application and to inject a remote file location of a widget using a network share.

    Release Notes:

    Download Links:

    Suggested Actions

    Update to latest Assistant patches available: 2021.4 and 2021.10

    The issue is not directly exploitable, it requires opening a malicious link and confirming the browser dialog asking the user to open a custom link with UiPath Assistant.

    If you have any questions please send an email to security.notifications@uipath.com or submit a ticket here.

  • UIPS-2021-003 - Security Advisory - UiPath Apps Studio - Persistent Cross-Site Scripting

    Title: UiPath Apps Studio - Persistent Cross-Site Scripting

    Publish Date: Dec 7, 2021

    Version: 1.0

    General Information

    Affected Versions:

    • Automation Suite 2021.10.0

    • Automation Cloud

    CVSS Score: 7.9

    Details:

    An issue was fixed in the way the uploaded icons are handled. It was possible for a malicious user with the rights to create an App to upload HTML code instead of a valid image. This might allow an attacker to create a malicious URL used to download the image to execute arbitrary JavaScript code.

    Release Notes:

    Download Links:

    Suggested Actions

    The issue was patched in the latest version available in Automation Cloud and on Automation Suite 2021.10.1.

    The issue was not directly exploitable in the UiPath Apps, it required the attacker to have the rights to create an App and send the malicious icon URL to other users to exploit it. The vulnerability was not triggered by just browsing the application with the malicious icon.

    If you have any questions please send an email to security.notifications@uipath.com or submit a ticket here.

  • UIPS-2022-001 - Security Advisory - UiPath Orchestrator - Robot Account Takeover

    Title: UiPath Orchestrator - Robot Account Takeover

    Publish Date: April 7, 2022 

    Version: 1.0

    General Information

    Affected Versions:

    • Orchestrator 2019.10 to 2019.10.22

    • Orchestrator 2020.10 to 2020.10.15

    • Orchestrator 2021.4 to 2021.4.3

    • Orchestrator 2021.10 to 2021.10.3

    • Orchestrator within Automation Suite 2021.10 to 2021.10.3

    • Automation Cloud

    CVSS Score: 8.3

    Details:

    The vulnerability allows an attacker with privileged access to a robot to retrieve the LicenseKey (MachineKey) of other robots within the same tenant by brute forcing API calls to Orchestrator. This would theoretically allow the attacker to access resources restricted only to that robot.

    Release Notes:

    Download Links:

    Suggested Actions

    The issue was patched in the latest version available in Automation Cloud, Automation Suite, and all supported Orchestrator versions.

    If you have any questions please send an email to security.notifications@uipath.com or submit a ticket here.

  • UIPS-2022-002 - Security Advisory - UiPath Orchestrator - Exposure of Sensitive Information

    Title: UIPS-2022-001- Security Advisory - UiPath Orchestrator - Exposure of Sensitive Information

    Publish Date: December 12, 2022

    Version: 1.1

    General Information

    Affected Versions:

    • Orchestrator prior to 2020.10*

    • Orchestrator 2020.10. to 2020.10.17*

    • Orchestrator 2021.10 to 2021.10.8*

    • Orchestrator 2022.4 to 2022.4.4*

    • Orchestrator 2022.10*

    • Orchestrator within Automation Suite 2021.10, 2022.4 and 2022.10*

    • Automation Cloud Orchestrator*

    *These versions are only affected under specific conditions provided in the details.

    CVSS Score: 4.9

    Details:

    If Orchestrator is configured to use a 3rd party storage bucket, 3rd party credential store, or external deployment repository that requires credentials, a vulnerability exists that may allow an attacker with privileged access to audit logs to retrieve the credentials used by Orchestrator to connect to the 3rd party resource. Audit logs are tenant specific and user permissions from one tenant do not allow for access to another tenant’s audit log.

    The update ensures that creation of new configurations is still logged, but no credentials are included in the logging statements.

    Release Notes:

    2022.10 Patch

    2022.4 Patch

    2021.10 Patch

    2020.10 Patch

    Download Links:

    2022.10 Patch

    2022.4 Patch

    2021.10 Patch

    2020.10 Patch

    Latest Versions

    Suggested Actions:

    If you are not leveraging Orchestrator in the UiPath Automation Cloud: Apply the Cleanup script from the corresponding release notes above. This will fully remove any 3rd party resource passwords that could be available, but will not prevent the credentials for a newly configured storage bucket, credential store, or external deployment from being vulnerable. Apply the update corresponding to your UiPath Orchestrator version to fully remediate the vulnerability. Customers running an unsupported version of Orchestrator are strongly advised to upgrade to a supported version in order to receive the update. Change any passwords used by Orchestrator to access storage buckets, credential stores, or external deployment repositories that may have been exposed.

    If you are a UiPath Automation Cloud customer: All updates have already been applied and any passwords that may have been available have been removed. UiPath still recommends changing any passwords used by Orchestrator to access storage buckets, credential stores, or external deployment repositories that may have been exposed.

    If you have any questions please send an email to security.notifications@uipath.com or submit a ticket here.

    Update: December 13, 2022

    Added Orchestrator within Automation Suite 2021.10 and 2022.4 to the "Affected Versions" list.

Need to Report a Security Issue to UiPath?