Input Validation Flaw in Cscape by Horner Automation
CVE-2022-3377

7.8HIGH

Key Information:

Vendor: Horner Automation
Status: Cscape
Vendor: CVE Published:; 15 November 2022

🔔 Create Horner Automation Vulnerability Alert

What is CVE-2022-3377?

Cscape prior to version 9.90 SP 6 from Horner Automation has a critical flaw where user-supplied data is not properly validated. Attackers can exploit this vulnerability by opening a specially crafted FNT file, triggering an uninitialized pointer access that allows out-of-bounds memory read. This could result in arbitrary code execution within the application process, posing a significant risk to system integrity.

Affected Version(s)

Cscape 0 <= 9.90

References

https://www.cisa.gov/uscert/ics/advisories/icsa-22-277-03

government-resource

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 15, 2022
Vulnerability Reserved
Sep 30, 2022

Credit

Michael Heinzl

CVE-2022-3377 Data

JSON