1. EXECUTIVE SUMMARY
- CVSS v4 8.7
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Rockwell Automation
- Equipment: Pavilion 8
- Vulnerability: Incorrect Permission Assignment for Critical Resource
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to create new users and view sensitive data.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Rockwell Automation Pavilion 8, a Model Predictive Control (MPC) solution, are affected:
- Pavilion 8: Versions 5.15.00 to 5.20.00
3.2 Vulnerability Overview
3.2.1 Incorrect Permission Assignment for Critical Resource CWE-732
A privilege escalation vulnerability exists in the affected products which could allow a malicious user with basic privileges to access functions which should only be available to users with administrative level privileges. If exploited, an attacker could read sensitive data and create users. For example, a malicious user with basic privileges could perform critical functions such as creating a user with elevated privileges, or reading sensitive information in the “views” section.
CVE-2024-6435 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-6435. A base score of 8.7 has been calculated; the CVSS vector string is ([…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: