Inductive Automation Ignition SimpleXMLReader XML External Entity Processing Information Disclosure Vulnerability
CVE-2023-39472

6.5MEDIUM

Key Information:

Vendor: Inductive Automation
Status: Ignition
Vendor: CVE Published:; 3 May 2024

🔔 Create Inductive Automation Vulnerability Alert

What is CVE-2023-39472?

The vulnerability in Inductive Automation Ignition's SimpleXMLReader involves inadequate restrictions on XML External Entity references. This flaw permits an attacker to craft a malicious XML document that, when processed, directs the XML parser to access a specified URI and incorporates the contents back into the XML document. As a result, sensitive information could be disclosed within the context of the SYSTEM. Proper authentication is necessary to exploit this vulnerability, heightening the importance of restricting access and validating incoming XML data to safeguard sensitive information.

Affected Version(s)

Ignition 8.1.17 LTS

References

https://www.zerodayinitiative.com/advisories/ZDI-23-1048/

x_research-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 3, 2024
Vulnerability Reserved
Aug 2, 2023

JSON