CVE-2023-39474 — Download of Code Without Integrity Check in Ignition

CWE-494 — Download of Code Without Integrity Check3 documents3 sources

Severity

8.8HIGHNVD

EPSS

1.1%

top 22.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Inductiveautomation Ignition Inductive Automation Ignition

Timeline

PublishedMay 3

Description

Inductive Automation Ignition downloadLaunchClientJar Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must connect to a malicious server. The specific flaw exists within the downloadLaunchClientJar function. The issue results from the lack of validating a remote JAR file prior to loading it. An attacke…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDinductiveautomation/ignition8.1.0 — 8.1.35

▶CVEListV5inductive_automation/ignition8.1.24-RC / 1.1.24-RC

🔴Vulnerability Details

GHSA

GHSA-jxgg-x4q8-f464: Inductive Automation Ignition downloadLaunchClientJar Remote Code Execution Vulnerability↗2024-05-03

▶

CVEList

Inductive Automation Ignition downloadLaunchClientJar Remote Code Execution Vulnerability↗2024-05-03

▶