Inductive Automation Ignition ConditionRefresh Resource Exhaustion Denial-of-Service Vulnerability
CVE-2023-39477

7.5HIGH

Key Information:

Vendor: Inductive Automation
Status: Ignition
Vendor: CVE Published:; 3 May 2024

🔔 Create Inductive Automation Vulnerability Alert

What is CVE-2023-39477?

The vulnerability in Inductive Automation's Ignition platform enables remote attackers to trigger a denial-of-service condition by overwhelming the system with excessive OPC UA ConditionRefresh requests. This issue occurs due to improper handling of these requests, allowing attackers, without requiring authentication, to exhaust server resources completely. The result is a significant disruption of service, potentially impacting critical operations and functionality within affected installations.

Affected Version(s)

Ignition 8.1.24

References

https://www.zerodayinitiative.com/advisories/ZDI-23-1050/

x_research-advisory

https://inductiveautomation.com/downloads/releasenotes/8....

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 3, 2024
Vulnerability Reserved
Aug 2, 2023

JSON