CVE-2021-42797: 
NixOS vulnerability analysis and mitigation

Path traversal vulnerability (CVE-2021-42797) was discovered in AVEVA Edge (formerly InduSoft Web Studio) versions R2020 and prior. The vulnerability allows an unauthenticated user to steal the Windows access token of the user account configured for accessing external DB resources (NVD, CISA).

The vulnerability is classified as a path traversal issue (CWE-22) that specifically targets Windows UNC share functionality. It has received a CVSS v3.1 base score of 7.5 HIGH with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

If successfully exploited, the vulnerability allows attackers to steal Windows access tokens of user accounts that are configured for accessing external database resources. This could potentially lead to unauthorized access to sensitive database information and resources (CISA).

AVEVA recommends users upgrade to AVEVA Edge 2020 R2 SP2. Additionally, CISA recommends minimizing network exposure for control system devices, ensuring they are not accessible from the Internet, locating control system networks and remote devices behind firewalls, and isolating them from business networks. When remote access is required, secure methods such as Virtual Private Networks (VPNs) should be used (CISA).