Inductive Automation Ignition AbstractGatewayFunction Deserialization of Untrusted Data Remote Code Execution Vulnerability
CVE-2023-39473

8.8HIGH

Key Information:

Vendor: Inductive Automation
Status: Ignition
Vendor: CVE Published:; 3 May 2024

🔔 Create Inductive Automation Vulnerability Alert

What is CVE-2023-39473?

A remote code execution vulnerability exists in Inductive Automation's Ignition due to inadequate validation of user-supplied data in the AbstractGatewayFunction class. This flaw allows an authenticated attacker to perform deserialization of untrusted data, potentially leading to arbitrary code execution with system-level privileges. Effectively, an attacker can exploit this vulnerability to manipulate the execution environment of the affected system, posing significant risks to security and operational integrity.

Affected Version(s)

Ignition Inductive Automation Ignition 8.1.17 LTS

References

https://www.zerodayinitiative.com/advisories/ZDI-23-1045/

x_research-advisory

EPSS Score

29% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 3, 2024
Vulnerability Reserved
Aug 2, 2023

JSON