Sign-up

ID

VAR-202207-1149


CVE

CVE-2022-35890


TITLE

Inductive Automation  of  Ignition  Fraud related to unauthorized authentication in

Trust: 0.8

sources: JVNDB: JVNDB-2022-013187

DESCRIPTION

An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. Designer and Vision Client Session IDs are mishandled. An attacker can determine which session IDs were generated in the past and then hijack sessions assigned to these IDs via Randy. Inductive Automation of Ignition Exists in a fraudulent authentication vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Inductive Automation Ignition‌ is a comprehensive platform for industrial automation that provides scalable solutions for monitoring, control, data collection and analysis. Ignition was developed by Inductive Automation to help users build and deploy automation systems that meet specific needs‌. Inductive Automation Ignition versions prior to 7.9.20, 8.0.1 and later, and versions prior to 8.1.17 have an access control error vulnerability, which is caused by improper handling of session IDs in the designer and visual clients. Attackers can exploit the vulnerability to hijack sessions

Trust: 2.25

sources: NVD: CVE-2022-35890 // JVNDB: JVNDB-2022-013187 // CNVD: CNVD-2024-48770 // VULMON: CVE-2022-35890

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2024-48770

AFFECTED PRODUCTS

vendor:inductiveautomationmodel:ignitionscope:gteversion:8.0.1

Trust: 1.0

vendor:inductiveautomationmodel:ignitionscope:ltversion:7.9.20

Trust: 1.0

vendor:inductiveautomationmodel:ignitionscope:ltversion:8.1.17

Trust: 1.0

vendor:inductive automationmodel:ignitionscope:eqversion:7.9.20

Trust: 0.8

vendor:inductive automationmodel:ignitionscope:eqversion:8.0.1 that's all 8.1.17

Trust: 0.8

vendor:inductive automationmodel:ignitionscope: - version: -

Trust: 0.8

vendor:inductive automationmodel:ignitionscope:eqversion: -

Trust: 0.8

vendor:inductivemodel:automation inductive automation ignitionscope:ltversion:7.9.20

Trust: 0.6

vendor:inductivemodel:automation inductive automation ignitionscope:gteversion:8.0.1,<8.1.17

Trust: 0.6

sources: CNVD: CNVD-2024-48770 // JVNDB: JVNDB-2022-013187 // NVD: CVE-2022-35890

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-35890
value: CRITICAL

Trust: 1.0

NVD: CVE-2022-35890
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2024-48770
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202207-1380
value: CRITICAL

Trust: 0.6

CNVD: CNVD-2024-48770
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2022-35890
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2022-35890
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2024-48770 // JVNDB: JVNDB-2022-013187 // CNNVD: CNNVD-202207-1380 // NVD: CVE-2022-35890

PROBLEMTYPE DATA

problemtype:CWE-863

Trust: 1.0

problemtype:Illegal authentication (CWE-863) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-013187 // NVD: CVE-2022-35890

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202207-1380

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202207-1380

PATCH

title:Patch for Inductive Automation Ignition Access Control Mistake Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/644341

Trust: 0.6

title:Inductive Automation Ignition Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=201097

Trust: 0.6

sources: CNVD: CNVD-2024-48770 // CNNVD: CNNVD-202207-1380

EXTERNAL IDS

db:NVDid:CVE-2022-35890

Trust: 3.9

db:JVNDBid:JVNDB-2022-013187

Trust: 0.8

db:CNVDid:CNVD-2024-48770

Trust: 0.6

db:CNNVDid:CNNVD-202207-1380

Trust: 0.6

db:VULMONid:CVE-2022-35890

Trust: 0.1

sources: CNVD: CNVD-2024-48770 // VULMON: CVE-2022-35890 // JVNDB: JVNDB-2022-013187 // CNNVD: CNNVD-202207-1380 // NVD: CVE-2022-35890

REFERENCES

url:https://support.inductiveautomation.com/hc/en-us/articles/7625759776653

Trust: 3.1

url:https://github.com/sourceincite/randy

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2022-35890

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2022-35890/

Trust: 0.6

url:https://nvd.nist.gov

Trust: 0.1

sources: CNVD: CNVD-2024-48770 // VULMON: CVE-2022-35890 // JVNDB: JVNDB-2022-013187 // CNNVD: CNNVD-202207-1380 // NVD: CVE-2022-35890

SOURCES

db:CNVDid:CNVD-2024-48770
db:VULMONid:CVE-2022-35890
db:JVNDBid:JVNDB-2022-013187
db:CNNVDid:CNNVD-202207-1380
db:NVDid:CVE-2022-35890

LAST UPDATE DATE

2024-12-21T23:15:40.902000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2024-48770date:2024-12-20T00:00:00
db:VULMONid:CVE-2022-35890date:2022-07-16T00:00:00
db:JVNDBid:JVNDB-2022-013187date:2023-09-06T08:21:00
db:CNNVDid:CNNVD-202207-1380date:2022-07-22T00:00:00
db:NVDid:CVE-2022-35890date:2022-07-21T14:45:20.123

SOURCES RELEASE DATE

db:CNVDid:CNVD-2024-48770date:2022-12-25T00:00:00
db:VULMONid:CVE-2022-35890date:2022-07-15T00:00:00
db:JVNDBid:JVNDB-2022-013187date:2023-09-06T00:00:00
db:CNNVDid:CNNVD-202207-1380date:2022-07-15T00:00:00
db:NVDid:CVE-2022-35890date:2022-07-15T21:15:08.827