CVE-2024-7960

The Rockwell Automation affected product contains a vulnerability that allows a threat actor to view sensitive information and change settings. The vulnerability exists due to having an incorrect privilege matrix that allows users to have access to functions they should not.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1695.html	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:rockwellautomation:pavilion8:*:*:*:*:*:*:*:*

History

19 Sep 2024, 01:52

Type	Values Removed	Values Added
CPE		cpe:2.3:a:rockwellautomation:pavilion8::::::::
First Time		Rockwellautomation Rockwellautomation pavilion8
CWE		NVD-CWE-noinfo
References	~~() https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1695.html -~~	() https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1695.html - Vendor Advisory
Summary		(es) El producto afectado de Rockwell Automation contiene una vulnerabilidad que permite a un agente de amenazas ver información confidencial y cambiar configuraciones. La vulnerabilidad existe debido a que tiene una matriz de privilegios incorrecta que permite a los usuarios tener acceso a funciones a las que no deberían tener acceso.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.1

12 Sep 2024, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-12 21:15

Updated : 2024-09-19 01:52

NVD link : CVE-2024-7960

Mitre link : CVE-2024-7960

CVE.ORG link : CVE-2024-7960

JSON object : View

Products Affected

rockwellautomation

pavilion8

CWE

NVD-CWE-noinfo CWE-269

Improper Privilege Management

{"id": "CVE-2024-7960", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "PSIRT@rockwellautomation.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 8.8, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "LOW", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "LOW", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "HIGH", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-09-12T21:15:03.153", "references": [{"url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1695.html", "tags": ["Vendor Advisory"], "source": "PSIRT@rockwellautomation.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "PSIRT@rockwellautomation.com", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "The Rockwell Automation affected product contains a vulnerability that allows a threat actor to view sensitive information and change settings. The vulnerability exists due to having an incorrect privilege matrix that allows users to have access to functions they should not."}, {"lang": "es", "value": "El producto afectado de Rockwell Automation contiene una vulnerabilidad que permite a un agente de amenazas ver informaci\u00f3n confidencial y cambiar configuraciones. La vulnerabilidad existe debido a que tiene una matriz de privilegios incorrecta que permite a los usuarios tener acceso a funciones a las que no deber\u00edan tener acceso."}], "lastModified": "2024-09-19T01:52:55.193", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rockwellautomation:pavilion8:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9569FBE7-2B8C-48A7-976A-2CDF1A155FB4", "versionEndExcluding": "6.0"}], "operator": "OR"}]}], "sourceIdentifier": "PSIRT@rockwellautomation.com"}