1. EXECUTIVE SUMMARY
- CVSS v4 5.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Rockwell Automation
- Equipment: Pavilion8
- Vulnerability: Missing Encryption of Sensitive Data
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to view sensitive data due to a lack of encryption.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions Rockwell Automation Pavilion8, a model predictive control software, are affected:
- Pavilion8: Versions v5.20 and later
3.2 Vulnerability Overview
3.2.1 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
A vulnerability exists in the affected product due to lack of encryption of sensitive information. The vulnerability results in data being sent between the Console and the Dashboard without encryption, which can be seen in the logs of proxy servers, potentially impacting the data’s confidentiality.
CVE-2024-40620 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L).
A CVSS v4 score has also been calculated for CVE-2024-40620. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS D
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.This article has been indexed from All CISA AdvisoriesRead the original article: