Security
Please find a list of product security advisories for UiPath below.
Title: UIPS-2024-001- Security Advisory – UiPath Orchestrator – Improper Queue Permissions
Publish Date: March 11, 2024
Version: 1.0
General Information
Affected Versions:
Automation Cloud Orchestrator
Orchestrator Standalone Versions:
2021.10.0 - 2021.10.14
2022.4.0 - 2022.4.12
2022.10.0 - 2022.10.9
2023.4.0 – 2023.4.5
2023.10.0 – 2023.10.2
Automation Suite Versions:
2021.10.0 - 2021.10.12
2022.4.0 - 2022.4.10
2022.10.0 - 2022.10.9
2023.4.0 - 2023.4.4
2023.10.0 – 2023.10.1
CVSS Score: 6.5
Details:
An issue was discovered with the permissions for exporting queues. An authenticated user who has access to one or more queues within a folder may be able to export data from all queues in their tenant instead of only the queues they have permissions. This issue does not allow access to other tenants or other organizations.
Release Notes:
Suggested Actions:
This vulnerability has already been remediated in the UiPath Automation Cloud. For on premise installs, update to latest possible version or apply respective version latest patches to the major version. The issue is not directly exploitable, it requires an authenticated user with existing permissions to queues.
If you have any questions please send an email to security.notifications@uipath.com or submit a ticket here.
Title: UIPS-2023-001- Security Advisory - Swagger DOM Cross-Site Scripting (XSS)
Publish Date: June 27, 2023
Version: 1.0
General Information
Affected Versions:
Automation Cloud Orchestrator
Orchestrator Standalone Versions:
2020.10.0 - 2020.10.19
2021.10.0 - 2021.10.11
2022.4.0 - 2022.4.7
2022.10.0 - 2022.10.4
2023.4.0
Automation Suite Versions:
2021.10.0 - 2021.10.11
2022.4.0 - 2022.4.7
2022.10.0 - 2022.10.4
2023.4.0
CVSS Score: 6.4
Details:
Swagger UI is a popular library used to beautify API specifications and render it to the users. Swagger UI versions 3.14.1 to 3.37.2 suffer from a DOM Cross-Site Scripting (XSS) vulnerability due to an outdated `DomPurify` embedded library and a feature available in the Swagger UI library itself which allows to fetch a remote API specifications file.
By crafting a malicious specification file and link it through Swagger UI, an attacker could leverage this vulnerability to execute arbitrary JavaScript in the context of the victim user and conduct advanced attacks.
Release Notes:
Download Links:
Orchestrator Standalone
Automation Suite
2023.4.1
2022.10.6
2022.4.7
2021.10.8
Suggested Actions:
Mitigated in Automation Cloud. For on premise installs, update to latest possible version or apply respective version latest patches to the major version. The issue is not directly exploitable, it requires an authenticated user opening a malicious link.
If you have any questions please send an email to security.notifications@uipath.com or submit a ticket here.
Title: UIPS-2022-001- Security Advisory - UiPath Orchestrator - Exposure of Sensitive Information
Publish Date: December 12, 2022
Version: 1.1
General Information
Affected Versions:
Orchestrator prior to 2020.10*
Orchestrator 2020.10. to 2020.10.17*
Orchestrator 2021.10 to 2021.10.8*
Orchestrator 2022.4 to 2022.4.4*
Orchestrator 2022.10*
Orchestrator within Automation Suite 2021.10, 2022.4 and 2022.10*
Automation Cloud Orchestrator*
*These versions are only affected under specific conditions provided in the details.
CVSS Score: 4.9
Details:
If Orchestrator is configured to use a 3rd party storage bucket, 3rd party credential store, or external deployment repository that requires credentials, a vulnerability exists that may allow an attacker with privileged access to audit logs to retrieve the credentials used by Orchestrator to connect to the 3rd party resource. Audit logs are tenant specific and user permissions from one tenant do not allow for access to another tenant’s audit log.
The update ensures that creation of new configurations is still logged, but no credentials are included in the logging statements.
Release Notes:
2022.10 Patch
2022.4 Patch
2021.10 Patch
2020.10 Patch
Download Links:
2022.10 Patch
2022.4 Patch
2021.10 Patch
2020.10 Patch
Latest Versions
Suggested Actions:
If you are not leveraging Orchestrator in the UiPath Automation Cloud: Apply the Cleanup script from the corresponding release notes above. This will fully remove any 3rd party resource passwords that could be available, but will not prevent the credentials for a newly configured storage bucket, credential store, or external deployment from being vulnerable. Apply the update corresponding to your UiPath Orchestrator version to fully remediate the vulnerability. Customers running an unsupported version of Orchestrator are strongly advised to upgrade to a supported version in order to receive the update. Change any passwords used by Orchestrator to access storage buckets, credential stores, or external deployment repositories that may have been exposed.
If you are a UiPath Automation Cloud customer: All updates have already been applied and any passwords that may have been available have been removed. UiPath still recommends changing any passwords used by Orchestrator to access storage buckets, credential stores, or external deployment repositories that may have been exposed.
If you have any questions please send an email to security.notifications@uipath.com or submit a ticket here.
Update: December 13, 2022
Added Orchestrator within Automation Suite 2021.10 and 2022.4 to the "Affected Versions" list.
Title: UiPath Orchestrator - Robot Account Takeover
Publish Date: April 7, 2022
Version: 1.0
General Information
Affected Versions:
Orchestrator 2019.10 to 2019.10.22
Orchestrator 2020.10 to 2020.10.15
Orchestrator 2021.4 to 2021.4.3
Orchestrator 2021.10 to 2021.10.3
Orchestrator within Automation Suite 2021.10 to 2021.10.3
Automation Cloud
CVSS Score: 8.3
Details:
The vulnerability allows an attacker with privileged access to a robot to retrieve the LicenseKey (MachineKey) of other robots within the same tenant by brute forcing API calls to Orchestrator. This would theoretically allow the attacker to access resources restricted only to that robot.
Release Notes:
Download Links:
Suggested Actions
The issue was patched in the latest version available in Automation Cloud, Automation Suite, and all supported Orchestrator versions.
If you have any questions please send an email to security.notifications@uipath.com or submit a ticket here.
Title: UiPath Apps Studio - Persistent Cross-Site Scripting
Publish Date: Dec 7, 2021
Version: 1.0
General Information
Affected Versions:
Automation Suite 2021.10.0
Automation Cloud
CVSS Score: 7.9
Details:
An issue was fixed in the way the uploaded icons are handled. It was possible for a malicious user with the rights to create an App to upload HTML code instead of a valid image. This might allow an attacker to create a malicious URL used to download the image to execute arbitrary JavaScript code.
Release Notes:
Download Links:
Suggested Actions
The issue was patched in the latest version available in Automation Cloud and on Automation Suite 2021.10.1.
The issue was not directly exploitable in the UiPath Apps, it required the attacker to have the rights to create an App and send the malicious icon URL to other users to exploit it. The vulnerability was not triggered by just browsing the application with the malicious icon.
If you have any questions please send an email to security.notifications@uipath.com or submit a ticket here.
Title: UiPath Assistant - Remote Code Execution
Publish Date: Dec 7, 2021
Version: 1.0
General Information
Affected Versions:
Assistant 2021.4 to 2021.4.5
Assistant 2021.10 to 2021.10.3
CVSS Score: 8.3
Details:
An issue was fixed in the processing of user-supplied widget identification command line parameters.
The functionality allowed users to develop and run Assistant widgets from the command line.
It was possible for a malicious web page to open the desktop application and to inject a remote file location of a widget using a network share.
Release Notes:
Download Links:
Suggested Actions
Update to latest Assistant patches available: 2021.4 and 2021.10
The issue is not directly exploitable, it requires opening a malicious link and confirming the browser dialog asking the user to open a custom link with UiPath Assistant.
If you have any questions please send an email to security.notifications@uipath.com or submit a ticket here.
Title: UiPath Assistant - Content injection via URI handler
Publish Date: Dec 7, 2021
Version: 1.0
General Information
Affected Versions:
Assistant 2021.4 to 2021.4.5
Assistant 2021.10 to 2021.10.3
CVSS Score: 4.7
Details: An issue was fixed in one command line parameter, the process name, which was reflected in the user interface of Assistant. The functionality allowed users to see details regarding the process name when they encountered an error. It was possible for a malicious web page to open the desktop application and to input arbitrary text which was displayed in the user interface of the Assistant.
Release Notes:
Download Links:
Suggested Actions:
Update to latest Assistant patches available: 2021.4 and 2021.10
The issue is not directly exploitable, it requires opening a malicious link and confirming the browser dialog asking the user to open a custom link with UiPath Assistant.
If you have any questions please send an email to security.notifications@uipath.com or submit a ticket here.