1. EXECUTIVE SUMMARY
- CVSS v4 8.5
- ATTENTION: Low attack complexity
- Vendor: Rockwell Automation
- Equipment: Arena
- Vulnerabilities: Use After Free, Out-of-bounds Write, Improper Initialization
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in execution of arbitrary code.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Arena are affected:
- Arena: Versions prior to V16.20.06
3.2 VULNERABILITY OVERVIEW
3.2.1 USE AFTER FREE CWE-416
A “use after free” code execution vulnerability exists in the affected products that could allow a threat actor to craft a DOE file and force the software to reuse a resource. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.
CVE-2024-11155 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-11155. A base score of 8.5 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 OUT-OF-BOUNDS WRITE CWE-787
An “out of bounds write” code execution vulnerability exist
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: