CVE-2020-25184 — Plaintext Storage of a Password in Isagraf Runtime

CWE-256 — Plaintext Storage of a Password CWE-522 — Insufficiently Protected Credentials3 documents3 sources

Severity

5.5MEDIUMNVD

CNA7.8

EPSS

0.0%

top 90.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rockwellautomation Isagraf Runtime Schneider-electric Easergy C5 Firmware Schneider-electric Micom C264 Firmware +10 more

Timeline

PublishedMar 18

Latest updateMar 19

Description

Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x stores the password in plaintext in a file that is in the same directory as the executable file. ISaGRAF Runtime reads the file and saves the data in a variable without any additional modification. A local, unauthenticated attacker could compromise the user passwords, resulting in information disclosure.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages13 packages

▶NVDrockwellautomation/isagraf_runtime5.0 — 6.0

▶NVDrockwellautomation/isagraf_free_runtime6.6.8

▶CVEListV5rockwell_automation/isagraf_runtime4.x, 5.x+1

▶NVDrockwellautomation/aadvance_controller1.40

▶NVDxylem/multismart_firmware< 3.2.0

🔴Vulnerability Details

GHSA

GHSA-3f6m-7jq2-3x7m: Rockwell Automation ISaGRAF Runtime Versions 4↗2022-03-19

▶

CVEList

Rockwell Automation ISaGRAF5 Runtime Unprotected Storage of Credentials↗2022-03-18

▶