CVE-2023-38123 — Missing Authentication for Critical Function in Ignition

CWE-306 — Missing Authentication for Critical Function3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.3%

top 46.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Inductiveautomation Ignition Inductive Automation Ignition

Timeline

PublishedMay 3

Description

Inductive Automation Ignition OPC UA Quick Client Missing Authentication for Critical Function Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the server configuration. The issue results from the lack of authentication…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDinductiveautomation/ignition< 8.1.26

▶CVEListV5inductive_automation/ignition8.1.24

🔴Vulnerability Details

GHSA

GHSA-qmh2-7rwj-4vp8: Inductive Automation Ignition OPC UA Quick Client Missing Authentication for Critical Function Authentication Bypass Vulnerability↗2024-05-03

▶

CVEList

Inductive Automation Ignition OPC UA Quick Client Missing Authentication for Critical Function Authentication Bypass Vulnerability↗2024-05-03

▶