CVE-2020-12000
published 2020-06-09CVE-2020-12000: The affected product is vulnerable to the handling of serialized data. The issue results from the lack of proper validation of user-supplied data, which can…
PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.48%
70.7th percentile
The affected product is vulnerable to the handling of serialized data. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data on the Ignition 8 Gateway (versions prior to 8.0.10) and Ignition 7 Gateway (versions prior to 7.9.14), allowing an attacker to obtain sensitive information.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| inductiveautomation | ignition_gateway | >= 7.2.4.48 < 7.9.14 | 7.9.14 |
| inductiveautomation | ignition_gateway | >= 8.0 < 8.0.10 | 8.0.10 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Inductive Automation Ignition (Update B)
cisa_ics·2020-06-02·CVSS 7.5
[HIGH] Inductive Automation Ignition (Update B)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Inductive Automation Ignition (Update B)
Last RevisedJuly 14, 2020
Alert CodeICSA-20-147-01
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: Inductive Automation
- Equipment: Ignition
- Vulnerabilities: Missing Authentication for Critical Function, Deserialization of Untrusted Data
## 2. UPDATE INFORMATION
This updated advisory is a follow-up to the original advisory titled ICSA-20-147-01 Inductive Automation Ignition (Update A) that was published June 2, 2020, on the ICS webpage on us-cert.gov.
## 3. RISK EVALUA
GHSA
GHSA-gh6q-wrfg-c8wf: The affected product is vulnerable to the handling of serialized data
ghsa_unreviewed·2022-05-24
CVE-2020-12000 [MEDIUM] CWE-502 GHSA-gh6q-wrfg-c8wf: The affected product is vulnerable to the handling of serialized data
The affected product is vulnerable to the handling of serialized data. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data on the Ignition 8 Gateway (versions prior to 8.0.10), allowing an attacker to obtain sensitive information.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-06-09
Published