Details of VAR-202409-2108

ID

VAR-202409-2108

CVE

CVE-2024-45824

TITLE

Rockwell Automation of FactoryTalk View Command injection vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2024-017918

DESCRIPTION

CVE-2024-45824 IMPACT A remote code vulnerability exists in the affected products. The vulnerability occurs when chained with Path Traversal, Command Injection, and XSS Vulnerabilities and allows for full unauthenticated remote code execution. The link in the mitigations section below contains patches to fix this issue. Rockwell Automation of FactoryTalk View Contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Rockwell Automation FactoryTalk View Site Edition is an integrated software package of Rockwell Automation, Inc., USA. It is used for development and operation

Trust: 2.16

sources: NVD: CVE-2024-45824 // JVNDB: JVNDB-2024-017918 // CNVD: CNVD-2024-46730

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-46730

AFFECTED PRODUCTS

vendor:	rockwellautomation	model:	factorytalk view	scope:	gte	version:	12.0	Trust: 1.0
vendor:	rockwellautomation	model:	factorytalk view	scope:	lte	version:	14.0	Trust: 1.0
vendor:	rockwell automation	model:	factorytalk view	scope:	-	version:	-	Trust: 0.8
vendor:	rockwell automation	model:	factorytalk view	scope:	eq	version:	-	Trust: 0.8
vendor:	rockwell automation	model:	factorytalk view	scope:	eq	version:	12.0 to 14.0	Trust: 0.8
vendor:	rockwell	model:	automation rockwell automation factorytalk view site edition	scope:	eq	version:	v12.0	Trust: 0.6
vendor:	rockwell	model:	automation rockwell automation factorytalk view site edition	scope:	eq	version:	v13.0	Trust: 0.6
vendor:	rockwell	model:	automation rockwell automation factorytalk view site edition	scope:	eq	version:	v14.0	Trust: 0.6

sources: CNVD: CNVD-2024-46730 // JVNDB: JVNDB-2024-017918 // NVD: CVE-2024-45824

CVSS

SEVERITY

CVSSV2

CVSSV3

PSIRT@rockwellautomation.com:	CVE-2024-45824
value:	CRITICAL
Trust: 1.0
nvd@nist.gov:	CVE-2024-45824
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2024-45824
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2024-46730
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2024-46730
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

PSIRT@rockwellautomation.com:	CVE-2024-45824
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 2.0
NVD:	CVE-2024-45824
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2024-46730 // JVNDB: JVNDB-2024-017918 // NVD: CVE-2024-45824 // NVD: CVE-2024-45824

PROBLEMTYPE DATA

problemtype:	CWE-77	Trust: 1.0
problemtype:	Command injection (CWE-77) [ others ]	Trust: 0.8
problemtype:	Command injection (CWE-77) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-017918 // NVD: CVE-2024-45824

PATCH

title:

Patch for Rockwell Automation FactoryTalk View Site Edition Remote Code Execution Vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/634576

Trust: 0.6

sources: CNVD: CNVD-2024-46730

EXTERNAL IDS

db:	NVD	id:	CVE-2024-45824	Trust: 3.2
db:	JVNDB	id:	JVNDB-2024-017918	Trust: 0.8
db:	CNVD	id:	CNVD-2024-46730	Trust: 0.6

sources: CNVD: CNVD-2024-46730 // JVNDB: JVNDB-2024-017918 // NVD: CVE-2024-45824

REFERENCES

url:	https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.sd1696.html	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2024-45824	Trust: 0.8

sources: CNVD: CNVD-2024-46730 // JVNDB: JVNDB-2024-017918 // NVD: CVE-2024-45824

SOURCES

db:	CNVD	id:	CNVD-2024-46730
db:	JVNDB	id:	JVNDB-2024-017918
db:	NVD	id:	CVE-2024-45824

LAST UPDATE DATE

2025-02-05T23:36:10.056000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2024-46730	date:	2024-12-02T00:00:00
db:	JVNDB	id:	JVNDB-2024-017918	date:	2025-02-04T06:55:00
db:	NVD	id:	CVE-2024-45824	date:	2025-01-31T15:25:14.390

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2024-46730	date:	2024-12-02T00:00:00
db:	JVNDB	id:	JVNDB-2024-017918	date:	2025-02-04T00:00:00
db:	NVD	id:	CVE-2024-45824	date:	2024-09-12T14:16:06.953