Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    76 vulnerabilities found for ignition by inductiveautomation

    CVE-2025-13913 (GCVE-0-2025-13913)

    Vulnerability from nvd – Published: 2026-03-12 18:17 – Updated: 2026-03-17 15:29
    VLAI
    Title
    Inductive Automation Ignition Software Deserialization of Untrusted Data
    Summary
    A privileged Ignition user, intentionally or otherwise, imports an external file with a specially crafted payload, which executes embedded malicious code.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Software Affected: 0 , < 8.3.0 (custom)
    Unaffected: 8.3.0
    Create a notification for this product.
    Date Public
    2026-03-12 15:00
    Credits
    Nik Tsytsarkin, Ismail Aydemir, and Ryan Hall of Meta reported this vulnerability to Inductive Automation.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-13913",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-12T19:06:06.866760Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-12T19:06:53.296Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Ignition Software",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "lessThan": "8.3.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "8.3.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nik Tsytsarkin, Ismail Aydemir, and Ryan Hall of Meta reported this vulnerability to Inductive Automation."
            }
          ],
          "datePublic": "2026-03-12T15:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan\u003eA privileged Ignition user, intentionally or otherwise, imports an external file with a specially crafted payload, which executes embedded malicious code.\u003c/span\u003e"
                }
              ],
              "value": "A privileged Ignition user, intentionally or otherwise, imports an external file with a specially crafted payload, which executes embedded malicious code."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-17T15:29:47.962Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-06"
            },
            {
              "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-071-06.json"
            },
            {
              "url": "https://inductiveautomation.com/resources/article/ignition-security-hardening-guide"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Upgrade Ignition software from 8.1.x to 8.3.0 or greater."
                }
              ],
              "value": "Upgrade Ignition software from 8.1.x to 8.3.0 or greater."
            }
          ],
          "source": {
            "advisory": "ICSA-26-071-06",
            "discovery": "EXTERNAL"
          },
          "title": "Inductive Automation Ignition Software Deserialization of Untrusted Data",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "MITIGATION (8.1.x Linux). Implement Ignition Security Hardening Guide \nAppendix A. \nhttps://inductiveautomation.com/resources/article/ignition-security-hardening-guide"
                }
              ],
              "value": "MITIGATION (8.1.x Linux). Implement Ignition Security Hardening Guide \nAppendix A. \nhttps://inductiveautomation.com/resources/article/ignition-security-hardening-guide"
            },
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\nMITIGATION (8.1.x Windows). Covered in Ignition Security Hardening Guide\n Appendix A.\u0026nbsp;\u003c/div\u003e\u003cdiv\u003e\u003col\u003e\u003cli\u003eCreate a new dedicated local Windows account that will \nbe used exclusively for the Ignition service (e.g. svc-ign).\u0026nbsp;a. The best\n security practice is that the Ignition service should not be a domain \naccount (unless otherwise needed). b. Remove all group memberships from \nthe service account (including Users and Administrators). c. Add to \nsecurity policy to log in as a service. d. Add to \"Deny log on locally\" \nsecurity policy.\u0026nbsp;\u003c/li\u003e\u003cli\u003eProvide full read/write access only to the Ignition \ninstallation directory for the service account created in #1. a. Add \nread/write permissions to other directories in the local filesystem as \nneeded (e.g.: if configured to use optional Enterprise Administration \nModule to write automated backups to the file system).\u0026nbsp;\u003c/li\u003e\u003cli\u003eSet deny \naccess settings for service account on other directories not needed by \nthe Ignition service. a. Specifically the C:\\Windows, C:\\Users, and \ndirectories for any other applications in the Program Files or Program \nFiles(x86) directories. b. Use java param to change temp directory to a \nlocation within the Ignition install directory so the Users folder can \nbe denied access to the Ignition service account.\u003c/li\u003e\u003cli\u003eRestrict project imports to verified \nand trusted sources only, ideally using checksums or digital \nsignatures.\u003c/li\u003e\u003cli\u003eUse multiple environments (e.g. Dev, Test, Prod) with a \nstaging workflow so that new data is never introduced directly to\u0026nbsp; \nproduction environments. See Ignition Deployment Best Practices.\u003c/li\u003e\u003cli\u003eWhen \nfeasible, segment or isolate Ignition gateways from corporate resources \nand Windows Domains.a. The Ignition service account or AD server object \nshould never need Windows Domain or Windows Active Directory privileges.\n This would only be needed if an Asset Owners IT or OT department uses \nthis for management outside Ignition.b. Ignition may be federated with \nActive Directory environments (e.g. OT domains) by entering \n\"Authentication Profile\" credentials within the Ignition gateway itself.\n This could use secure LDAP, SAML, or OpenID Connect.\u003c/li\u003e\u003cli\u003eWhen feasible, \nenforce strong credential management and MFA for all users with Designer\n permissions (8.1.x and 8.3.x), Config Page permissions (8.1.x), and \nConfig Write permissions (8.3.x).\u003c/li\u003e\u003cli\u003eWhen feasible, deploy Ignition \nwithin hardened or containerized environments.\n\n\n\n\u003cbr\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/div\u003e"
                }
              ],
              "value": "MITIGATION (8.1.x Windows). Covered in Ignition Security Hardening Guide\n Appendix A.\u00a0\n\n  *  Create a new dedicated local Windows account that will \nbe used exclusively for the Ignition service (e.g. svc-ign).\u00a0a. The best\n security practice is that the Ignition service should not be a domain \naccount (unless otherwise needed). b. Remove all group memberships from \nthe service account (including Users and Administrators). c. Add to \nsecurity policy to log in as a service. d. Add to \"Deny log on locally\" \nsecurity policy.\u00a0\n  *  Provide full read/write access only to the Ignition \ninstallation directory for the service account created in #1. a. Add \nread/write permissions to other directories in the local filesystem as \nneeded (e.g.: if configured to use optional Enterprise Administration \nModule to write automated backups to the file system).\u00a0\n  *  Set deny \naccess settings for service account on other directories not needed by \nthe Ignition service. a. Specifically the C:\\Windows, C:\\Users, and \ndirectories for any other applications in the Program Files or Program \nFiles(x86) directories. b. Use java param to change temp directory to a \nlocation within the Ignition install directory so the Users folder can \nbe denied access to the Ignition service account.\n  *  Restrict project imports to verified \nand trusted sources only, ideally using checksums or digital \nsignatures.\n  *  Use multiple environments (e.g. Dev, Test, Prod) with a \nstaging workflow so that new data is never introduced directly to\u00a0 \nproduction environments. See Ignition Deployment Best Practices.\n  *  When \nfeasible, segment or isolate Ignition gateways from corporate resources \nand Windows Domains.a. The Ignition service account or AD server object \nshould never need Windows Domain or Windows Active Directory privileges.\n This would only be needed if an Asset Owners IT or OT department uses \nthis for management outside Ignition.b. Ignition may be federated with \nActive Directory environments (e.g. OT domains) by entering \n\"Authentication Profile\" credentials within the Ignition gateway itself.\n This could use secure LDAP, SAML, or OpenID Connect.\n  *  When feasible, \nenforce strong credential management and MFA for all users with Designer\n permissions (8.1.x and 8.3.x), Config Page permissions (8.1.x), and \nConfig Write permissions (8.3.x).\n  *  When feasible, deploy Ignition \nwithin hardened or containerized environments."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 1.0.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2025-13913",
        "datePublished": "2026-03-12T18:17:22.839Z",
        "dateReserved": "2025-12-02T17:43:55.964Z",
        "dateUpdated": "2026-03-17T15:29:47.962Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-50233 (GCVE-0-2023-50233)

    Vulnerability from nvd – Published: 2024-05-03 02:14 – Updated: 2024-08-02 22:09
    VLAI
    Title
    Inductive Automation Ignition getJavaExecutable Directory Traversal Remote Code Execution Vulnerability
    Summary
    Inductive Automation Ignition getJavaExecutable Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must connect to a malicious server. The specific flaw exists within the getJavaExecutable method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22029.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Affected: 8.1.31
    Create a notification for this product.
    inductiveautomation ignition Affected: 8.1.31
        cpe:2.3:a:inductiveautomation:ignition:8.1.31:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-02-21 19:14
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:inductiveautomation:ignition:8.1.31:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ignition",
                "vendor": "inductiveautomation",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.1.31"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-50233",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-19T14:09:00.610715Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-19T21:03:14.575Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:09:49.895Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "ZDI-24-185",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-185/"
              },
              {
                "name": "vendor-provided URL",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Ignition",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1.31"
                }
              ]
            }
          ],
          "dateAssigned": "2023-12-05T19:37:59.749Z",
          "datePublic": "2024-02-21T19:14:57.983Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Inductive Automation Ignition getJavaExecutable Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must connect to a malicious server.\n\nThe specific flaw exists within the getJavaExecutable method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22029."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T02:14:49.645Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-24-185",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-185/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative"
          },
          "title": "Inductive Automation Ignition getJavaExecutable Directory Traversal Remote Code Execution Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-50233",
        "datePublished": "2024-05-03T02:14:49.645Z",
        "dateReserved": "2023-12-05T16:15:17.545Z",
        "dateUpdated": "2024-08-02T22:09:49.895Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-50232 (GCVE-0-2023-50232)

    Vulnerability from nvd – Published: 2024-05-03 02:14 – Updated: 2024-08-02 22:09
    VLAI
    Title
    Inductive Automation Ignition getParams Argument Injection Remote Code Execution Vulnerability
    Summary
    Inductive Automation Ignition getParams Argument Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must connect to a malicious server. The specific flaw exists within the getParams method. The issue results from the lack of proper validation of a user-supplied string before using it to prepare an argument for a system call. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22028.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Affected: 8.1.31
    Create a notification for this product.
    inductiveautomation ignition Affected: 8.1.31 , < 8.1.35 (custom)
        cpe:2.3:a:inductiveautomation:ignition:8.1.31:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-02-21 19:14
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:inductiveautomation:ignition:8.1.31:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ignition",
                "vendor": "inductiveautomation",
                "versions": [
                  {
                    "lessThan": "8.1.35",
                    "status": "affected",
                    "version": "8.1.31",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-50232",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-14T19:21:19.849756Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-14T19:25:30.871Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:09:49.865Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "ZDI-24-184",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-184/"
              },
              {
                "name": "vendor-provided URL",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Ignition",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1.31"
                }
              ]
            }
          ],
          "dateAssigned": "2023-12-05T19:37:59.744Z",
          "datePublic": "2024-02-21T19:14:52.766Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Inductive Automation Ignition getParams Argument Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must connect to a malicious server.\n\nThe specific flaw exists within the getParams method. The issue results from the lack of proper validation of a user-supplied string before using it to prepare an argument for a system call. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22028."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-88",
                  "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T02:14:48.881Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-24-184",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-184/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative"
          },
          "title": "Inductive Automation Ignition getParams Argument Injection Remote Code Execution Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-50232",
        "datePublished": "2024-05-03T02:14:48.881Z",
        "dateReserved": "2023-12-05T16:15:17.545Z",
        "dateUpdated": "2024-08-02T22:09:49.865Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-50223 (GCVE-0-2023-50223)

    Vulnerability from nvd – Published: 2024-05-03 02:14 – Updated: 2024-08-02 22:09
    VLAI
    Title
    Inductive Automation Ignition ExtendedDocumentCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability
    Summary
    Inductive Automation Ignition ExtendedDocumentCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability. The specific flaw exists within the ExtendedDocumentCodec class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-22127.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Affected: 6.4.1.207
    Create a notification for this product.
    inductiveautomation ignition Affected: 6.4.1.207
        cpe:2.3:a:inductiveautomation:ignition:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-01-05 15:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:inductiveautomation:ignition:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ignition",
                "vendor": "inductiveautomation",
                "versions": [
                  {
                    "status": "affected",
                    "version": "6.4.1.207"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-50223",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-17T16:48:13.947162Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-17T17:05:08.998Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:09:49.796Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "ZDI-24-018",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-018/"
              },
              {
                "name": "vendor-provided URL",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Ignition",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "status": "affected",
                  "version": "6.4.1.207"
                }
              ]
            }
          ],
          "dateAssigned": "2023-12-05T19:37:59.691Z",
          "datePublic": "2024-01-05T15:00:27.138Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Inductive Automation Ignition ExtendedDocumentCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the ExtendedDocumentCodec class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-22127."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T02:14:42.233Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-24-018",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-018/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Andy Niu of Trend Micro Security Research"
          },
          "title": "Inductive Automation Ignition ExtendedDocumentCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-50223",
        "datePublished": "2024-05-03T02:14:42.233Z",
        "dateReserved": "2023-12-05T16:15:17.542Z",
        "dateUpdated": "2024-08-02T22:09:49.796Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-50222 (GCVE-0-2023-50222)

    Vulnerability from nvd – Published: 2024-05-03 02:14 – Updated: 2024-08-02 22:09
    VLAI
    Title
    Inductive Automation Ignition ResponseParser Notification Deserialization of Untrusted Data Remote Code Execution Vulnerability
    Summary
    Inductive Automation Ignition ResponseParser Notification Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must connect to a malicious server. The specific flaw exists within the ResponseParser method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22067.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Affected: 8.1.31
    Create a notification for this product.
    inductiveautomation ignition Affected: 8.1.31
        cpe:2.3:a:inductiveautomation:ignition:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-01-05 15:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:inductiveautomation:ignition:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ignition",
                "vendor": "inductiveautomation",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.1.31"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-50222",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-03T21:03:47.740884Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:17:59.944Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:09:49.870Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "ZDI-24-017",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-017/"
              },
              {
                "name": "vendor-provided URL",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Ignition",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1.31"
                }
              ]
            }
          ],
          "dateAssigned": "2023-12-05T19:37:59.686Z",
          "datePublic": "2024-01-05T15:00:22.033Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Inductive Automation Ignition ResponseParser Notification Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must connect to a malicious server.\n\nThe specific flaw exists within the ResponseParser method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22067."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T02:14:41.474Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-24-017",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-017/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative"
          },
          "title": "Inductive Automation Ignition ResponseParser Notification Deserialization of Untrusted Data Remote Code Execution Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-50222",
        "datePublished": "2024-05-03T02:14:41.474Z",
        "dateReserved": "2023-12-05T16:15:17.542Z",
        "dateUpdated": "2024-08-02T22:09:49.870Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-50221 (GCVE-0-2023-50221)

    Vulnerability from nvd – Published: 2024-05-03 02:14 – Updated: 2024-08-02 22:09
    VLAI
    Title
    Inductive Automation Ignition ResponseParser SerializedResponse Deserialization of Untrusted Data Remote Code Execution Vulnerability
    Summary
    Inductive Automation Ignition ResponseParser SerializedResponse Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must connect to a malicious server. The specific flaw exists within the ResponseParser method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-21926.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Affected: 8.1.31
    Create a notification for this product.
    inductiveautomation ignition Affected: 8.1.31
        cpe:2.3:a:inductiveautomation:ignition:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-01-05 15:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:inductiveautomation:ignition:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ignition",
                "vendor": "inductiveautomation",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.1.31"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-50221",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-17T19:58:04.180966Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-17T20:01:39.250Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:09:49.681Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "ZDI-24-016",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-016/"
              },
              {
                "name": "vendor-provided URL",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Ignition",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1.31"
                }
              ]
            }
          ],
          "dateAssigned": "2023-12-05T19:37:59.678Z",
          "datePublic": "2024-01-05T15:00:17.168Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Inductive Automation Ignition ResponseParser SerializedResponse Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must connect to a malicious server.\n\nThe specific flaw exists within the ResponseParser method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-21926."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T02:14:40.701Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-24-016",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-016/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Nguyen Quoc Viet (Petrus Viet) of VNG Security Researcher"
          },
          "title": "Inductive Automation Ignition ResponseParser SerializedResponse Deserialization of Untrusted Data Remote Code Execution Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-50221",
        "datePublished": "2024-05-03T02:14:40.701Z",
        "dateReserved": "2023-12-05T16:15:17.542Z",
        "dateUpdated": "2024-08-02T22:09:49.681Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-50220 (GCVE-0-2023-50220)

    Vulnerability from nvd – Published: 2024-05-03 02:14 – Updated: 2024-08-02 22:09
    VLAI
    Title
    Inductive Automation Ignition Base64Element Deserialization of Untrusted Data Remote Code Execution Vulnerability
    Summary
    Inductive Automation Ignition Base64Element Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability. The specific flaw exists within the Base64Element class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-21801.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Affected: 8.1.30
    Create a notification for this product.
    inductiveautomation ignition Affected: 8.1.30
        cpe:2.3:a:inductiveautomation:ignition:8.1.3:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-01-05 15:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:inductiveautomation:ignition:8.1.3:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ignition",
                "vendor": "inductiveautomation",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.1.30"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-50220",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-21T18:14:54.610553Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:17:50.778Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:09:49.876Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "ZDI-24-015",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-015/"
              },
              {
                "name": "vendor-provided URL",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Ignition",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1.30"
                }
              ]
            }
          ],
          "dateAssigned": "2023-12-05T19:37:59.672Z",
          "datePublic": "2024-01-05T15:00:11.022Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Inductive Automation Ignition Base64Element Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the Base64Element class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-21801."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T02:14:39.917Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-24-015",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-015/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Nguyen Quoc Viet (Petrus Viet) of VNG Security Researcher"
          },
          "title": "Inductive Automation Ignition Base64Element Deserialization of Untrusted Data Remote Code Execution Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-50220",
        "datePublished": "2024-05-03T02:14:39.917Z",
        "dateReserved": "2023-12-05T16:15:17.542Z",
        "dateUpdated": "2024-08-02T22:09:49.876Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-50219 (GCVE-0-2023-50219)

    Vulnerability from nvd – Published: 2024-05-03 02:14 – Updated: 2024-08-02 22:09
    VLAI
    Title
    Inductive Automation Ignition RunQuery Deserialization of Untrusted Data Remote Code Execution Vulnerability
    Summary
    Inductive Automation Ignition RunQuery Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability. The specific flaw exists within the RunQuery class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-21625.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Affected: 8.1.30
    Create a notification for this product.
    inductiveautomation ignition Affected: 8.1.30
        cpe:2.3:a:inductiveautomation:ignition:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-01-05 15:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:inductiveautomation:ignition:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ignition",
                "vendor": "inductiveautomation",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.1.30"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-50219",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-03T20:15:14.831755Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:17:51.888Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:09:49.777Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "ZDI-24-014",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-014/"
              },
              {
                "name": "vendor-provided URL",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Ignition",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1.30"
                }
              ]
            }
          ],
          "dateAssigned": "2023-12-05T19:37:59.667Z",
          "datePublic": "2024-01-05T15:00:05.498Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Inductive Automation Ignition RunQuery Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the RunQuery class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-21625."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T02:14:39.147Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-24-014",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-014/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Nguyen Quoc Viet (Petrus Viet) of VNG Security Researcher"
          },
          "title": "Inductive Automation Ignition RunQuery Deserialization of Untrusted Data Remote Code Execution Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-50219",
        "datePublished": "2024-05-03T02:14:39.147Z",
        "dateReserved": "2023-12-05T16:15:17.542Z",
        "dateUpdated": "2024-08-02T22:09:49.777Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-50218 (GCVE-0-2023-50218)

    Vulnerability from nvd – Published: 2024-05-03 02:14 – Updated: 2024-08-02 22:09
    VLAI
    Title
    Inductive Automation Ignition ModuleInvoke Deserialization of Untrusted Data Remote Code Execution Vulnerability
    Summary
    Inductive Automation Ignition ModuleInvoke Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability. The specific flaw exists within the ModuleInvoke class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-21624.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Affected: 8.1.30
    Create a notification for this product.
    inductiveautomation ignition Affected: 8.1.3
        cpe:2.3:a:inductiveautomation:ignition:8.1.3:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-01-05 14:56
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:inductiveautomation:ignition:8.1.3:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ignition",
                "vendor": "inductiveautomation",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.1.3"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-50218",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-06T20:56:49.694175Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:17:58.468Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:09:49.786Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "ZDI-23-1813",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1813/"
              },
              {
                "name": "vendor-provided URL",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Ignition",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1.30"
                }
              ]
            }
          ],
          "dateAssigned": "2023-12-05T19:37:59.662Z",
          "datePublic": "2024-01-05T14:56:04.085Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Inductive Automation Ignition ModuleInvoke Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the ModuleInvoke class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-21624."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T02:14:38.394Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-23-1813",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1813/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Nguyen Quoc Viet (Petrus Viet) of VNG Security Researcher"
          },
          "title": "Inductive Automation Ignition ModuleInvoke Deserialization of Untrusted Data Remote Code Execution Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-50218",
        "datePublished": "2024-05-03T02:14:38.394Z",
        "dateReserved": "2023-12-05T16:15:17.542Z",
        "dateUpdated": "2024-08-02T22:09:49.786Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-39477 (GCVE-0-2023-39477)

    Vulnerability from nvd – Published: 2024-05-03 02:10 – Updated: 2024-08-02 18:10
    VLAI
    Title
    Inductive Automation Ignition ConditionRefresh Resource Exhaustion Denial-of-Service Vulnerability
    Summary
    Inductive Automation Ignition ConditionRefresh Resource Exhaustion Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Inductive Automation Ignition. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of OPC UA ConditionRefresh requests. By sending a large number of requests, an attacker can consume all available resources on the server. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-20499.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption ('Resource Exhaustion')
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Affected: 8.1.24
    Create a notification for this product.
    inductiveautomation ignition Affected: 8.1.24
        cpe:2.3:a:inductiveautomation:ignition:8.1.24:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2023-08-08 14:49
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:inductiveautomation:ignition:8.1.24:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ignition",
                "vendor": "inductiveautomation",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.1.24"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-39477",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-05T15:47:53.751712Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-05T17:35:42.447Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T18:10:20.832Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "ZDI-23-1050",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1050/"
              },
              {
                "name": "vendor-provided URL",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://inductiveautomation.com/downloads/releasenotes/8.1.33"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Ignition",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1.24"
                }
              ]
            }
          ],
          "dateAssigned": "2023-08-02T21:44:31.510Z",
          "datePublic": "2023-08-08T14:49:31.561Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Inductive Automation Ignition ConditionRefresh Resource Exhaustion Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Inductive Automation Ignition. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of OPC UA ConditionRefresh requests. By sending a large number of requests, an attacker can consume all available resources on the server. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-20499."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption (\u0027Resource Exhaustion\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T02:10:42.854Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-23-1050",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1050/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://inductiveautomation.com/downloads/releasenotes/8.1.33"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Claroty Research - Team82 - Uri Katz, Noam Moshe, Vera Vens, Sharon Brizinov"
          },
          "title": "Inductive Automation Ignition ConditionRefresh Resource Exhaustion Denial-of-Service Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-39477",
        "datePublished": "2024-05-03T02:10:42.854Z",
        "dateReserved": "2023-08-02T21:37:23.124Z",
        "dateUpdated": "2024-08-02T18:10:20.832Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-39476 (GCVE-0-2023-39476)

    Vulnerability from nvd – Published: 2024-05-03 02:10 – Updated: 2024-08-02 18:10
    VLAI
    Title
    Inductive Automation Ignition JavaSerializationCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability
    Summary
    Inductive Automation Ignition JavaSerializationCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is not required to exploit this vulnerability. The specific flaw exists within the JavaSerializationCodec class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-20291.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Affected: 8.1.25
    Create a notification for this product.
    inductiveautomation ignition Affected: 8.1.22 , < 8.1.35 (custom)
        cpe:2.3:a:inductiveautomation:ignition:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2023-08-08 14:49
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:inductiveautomation:ignition:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ignition",
                "vendor": "inductiveautomation",
                "versions": [
                  {
                    "lessThan": "8.1.35",
                    "status": "affected",
                    "version": "8.1.22",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-39476",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-05T17:03:23.809391Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-05T20:59:53.039Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T18:10:20.678Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "ZDI-23-1046",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1046/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Ignition",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1.25"
                }
              ]
            }
          ],
          "dateAssigned": "2023-08-02T21:44:31.504Z",
          "datePublic": "2023-08-08T14:49:12.720Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Inductive Automation Ignition JavaSerializationCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the JavaSerializationCodec class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-20291."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T02:10:42.122Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-23-1046",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1046/"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Rocco Calvi (@TecR0c) and Steven Seeley (mr_me) of Incite Team"
          },
          "title": "Inductive Automation Ignition JavaSerializationCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-39476",
        "datePublished": "2024-05-03T02:10:42.122Z",
        "dateReserved": "2023-08-02T21:37:23.124Z",
        "dateUpdated": "2024-08-02T18:10:20.678Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-39475 (GCVE-0-2023-39475)

    Vulnerability from nvd – Published: 2024-05-03 02:10 – Updated: 2024-08-02 18:10
    VLAI
    Title
    Inductive Automation Ignition ParameterVersionJavaSerializationCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability
    Summary
    Inductive Automation Ignition ParameterVersionJavaSerializationCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ParameterVersionJavaSerializationCodec class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-20290.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Affected: 8.1.25
    Create a notification for this product.
    inductiveautomation ignition Affected: 8.1.22 , < 8.1.35 (custom)
        cpe:2.3:a:inductiveautomation:ignition:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2023-08-08 14:49
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:inductiveautomation:ignition:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ignition",
                "vendor": "inductiveautomation",
                "versions": [
                  {
                    "lessThan": "8.1.35",
                    "status": "affected",
                    "version": "8.1.22",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-39475",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-05T17:00:31.612223Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-05T20:59:42.213Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T18:10:20.695Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "ZDI-23-1047",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1047/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Ignition",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1.25"
                }
              ]
            }
          ],
          "dateAssigned": "2023-08-02T21:44:31.499Z",
          "datePublic": "2023-08-08T14:49:17.670Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Inductive Automation Ignition ParameterVersionJavaSerializationCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the ParameterVersionJavaSerializationCodec class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-20290."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T02:10:41.406Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-23-1047",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1047/"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Rocco Calvi (@TecR0c) and Steven Seeley (mr_me) of Incite Team"
          },
          "title": "Inductive Automation Ignition ParameterVersionJavaSerializationCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-39475",
        "datePublished": "2024-05-03T02:10:41.406Z",
        "dateReserved": "2023-08-02T21:37:23.124Z",
        "dateUpdated": "2024-08-02T18:10:20.695Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-39474 (GCVE-0-2023-39474)

    Vulnerability from nvd – Published: 2024-05-03 02:10 – Updated: 2024-09-18 18:29
    VLAI
    Title
    Inductive Automation Ignition downloadLaunchClientJar Remote Code Execution Vulnerability
    Summary
    Inductive Automation Ignition downloadLaunchClientJar Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must connect to a malicious server. The specific flaw exists within the downloadLaunchClientJar function. The issue results from the lack of validating a remote JAR file prior to loading it. An attacker can leverage this vulnerability to execute code in the context of the current user. . Was ZDI-CAN-19915.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-494 - Download of Code Without Integrity Check
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Affected: 8.1.24-RC / 1.1.24-RC
    Create a notification for this product.
    inductiveautomation ignition Affected: 0 , < * (custom)
        cpe:2.3:a:inductiveautomation:ignition:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2023-08-08 14:49
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:inductiveautomation:ignition:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ignition",
                "vendor": "inductiveautomation",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-39474",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-17T19:35:35.328270Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-17T19:35:38.394Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T18:10:21.129Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "ZDI-23-1049",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1049/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Ignition",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1.24-RC / 1.1.24-RC"
                }
              ]
            }
          ],
          "dateAssigned": "2023-08-02T21:44:31.493Z",
          "datePublic": "2023-08-08T14:49:25.873Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Inductive Automation Ignition downloadLaunchClientJar Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must connect to a malicious server.\n\nThe specific flaw exists within the downloadLaunchClientJar function. The issue results from the lack of validating a remote JAR file prior to loading it. An attacker can leverage this vulnerability to execute code in the context of the current user.\n. Was ZDI-CAN-19915."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-494",
                  "description": "CWE-494: Download of Code Without Integrity Check",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-18T18:29:37.407Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-23-1049",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1049/"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Nguy\u1ec5n Ti\u1ebfn Giang (Jang) of STAR Labs SG Pte. Ltd."
          },
          "title": "Inductive Automation Ignition downloadLaunchClientJar Remote Code Execution Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-39474",
        "datePublished": "2024-05-03T02:10:40.714Z",
        "dateReserved": "2023-08-02T21:37:23.124Z",
        "dateUpdated": "2024-09-18T18:29:37.407Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-39473 (GCVE-0-2023-39473)

    Vulnerability from nvd – Published: 2024-05-03 02:10 – Updated: 2024-09-18 18:29
    VLAI
    Title
    Inductive Automation Ignition AbstractGatewayFunction Deserialization of Untrusted Data Remote Code Execution Vulnerability
    Summary
    Inductive Automation Ignition AbstractGatewayFunction Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability. The specific flaw exists within the AbstractGatewayFunction class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. . Was ZDI-CAN-17587.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Affected: Inductive Automation Ignition 8.1.17 LTS
    Create a notification for this product.
    inductiveautomation ignition Affected: 8.1 , < 8.1.35 (custom)
        cpe:2.3:a:inductiveautomation:ignition:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2023-08-08 14:49
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:inductiveautomation:ignition:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ignition",
                "vendor": "inductiveautomation",
                "versions": [
                  {
                    "lessThan": "8.1.35",
                    "status": "affected",
                    "version": "8.1",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-39473",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-05T17:14:05.364540Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-05T21:00:08.201Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T18:10:20.890Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "ZDI-23-1045",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1045/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Ignition",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "status": "affected",
                  "version": "Inductive Automation Ignition 8.1.17 LTS"
                }
              ]
            }
          ],
          "dateAssigned": "2023-08-02T21:44:31.488Z",
          "datePublic": "2023-08-08T14:49:09.386Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Inductive Automation Ignition AbstractGatewayFunction Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the AbstractGatewayFunction class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.\n. Was ZDI-CAN-17587."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-18T18:29:36.706Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-23-1045",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1045/"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative"
          },
          "title": "Inductive Automation Ignition AbstractGatewayFunction Deserialization of Untrusted Data Remote Code Execution Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-39473",
        "datePublished": "2024-05-03T02:10:39.937Z",
        "dateReserved": "2023-08-02T21:37:23.124Z",
        "dateUpdated": "2024-09-18T18:29:36.706Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-39472 (GCVE-0-2023-39472)

    Vulnerability from nvd – Published: 2024-05-03 02:10 – Updated: 2024-08-02 18:10
    VLAI
    Title
    Inductive Automation Ignition SimpleXMLReader XML External Entity Processing Information Disclosure Vulnerability
    Summary
    Inductive Automation Ignition SimpleXMLReader XML External Entity Processing Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability. The specific flaw exists within the SimpleXMLReader class. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the SYSTEM. . Was ZDI-CAN-17571.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Affected: 8.1.17 LTS
    Create a notification for this product.
    inductiveautomation ignition Affected: 8.1.17 LTS
        cpe:2.3:a:inductiveautomation:ignition:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2023-08-08 14:49
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:inductiveautomation:ignition:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ignition",
                "vendor": "inductiveautomation",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.1.17 LTS"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-39472",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-10T18:22:51.863259Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:27:10.426Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T18:10:20.889Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "ZDI-23-1048",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1048/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Ignition",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1.17 LTS"
                }
              ]
            }
          ],
          "dateAssigned": "2023-08-02T21:44:31.483Z",
          "datePublic": "2023-08-08T14:49:22.244Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Inductive Automation Ignition SimpleXMLReader XML External Entity Processing Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the SimpleXMLReader class. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the SYSTEM.\n. Was ZDI-CAN-17571."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "CWE-611: Improper Restriction of XML External Entity Reference (\u0027XXE\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-09T22:21:06.255Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-23-1048",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1048/"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative"
          },
          "title": "Inductive Automation Ignition SimpleXMLReader XML External Entity Processing Information Disclosure Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-39472",
        "datePublished": "2024-05-03T02:10:39.196Z",
        "dateReserved": "2023-08-02T21:37:23.124Z",
        "dateUpdated": "2024-08-02T18:10:20.889Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-38124 (GCVE-0-2023-38124)

    Vulnerability from nvd – Published: 2024-05-03 01:59 – Updated: 2024-08-02 17:30
    VLAI
    Title
    Inductive Automation Ignition OPC UA Quick Client Task Scheduling Exposed Dangerous Function Remote Code Execution Vulnerability
    Summary
    Inductive Automation Ignition OPC UA Quick Client Task Scheduling Exposed Dangerous Function Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability. The specific flaw exists within the Ignition Gateway server. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-20541.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-749 - Exposed Dangerous Method or Function
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Affected: 8.1.24
    Create a notification for this product.
    inductiveautomation ignition Affected: *
        cpe:2.3:a:inductiveautomation:ignition:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2023-08-01 14:08
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:inductiveautomation:ignition:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ignition",
                "vendor": "inductiveautomation",
                "versions": [
                  {
                    "status": "affected",
                    "version": "*"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-38124",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-16T17:29:25.520163Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:27:56.867Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T17:30:14.097Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "ZDI-23-1015",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1015/"
              },
              {
                "name": "vendor-provided URL",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://inductiveautomation.com/blog/inductive-automation-participates-in-pwn2own-to-strengthen-ignition-security"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Ignition",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1.24"
                }
              ]
            }
          ],
          "dateAssigned": "2023-07-12T15:35:25.013Z",
          "datePublic": "2023-08-01T14:08:05.021Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Inductive Automation Ignition OPC UA Quick Client Task Scheduling Exposed Dangerous Function Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the Ignition Gateway server. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-20541."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-749",
                  "description": "CWE-749: Exposed Dangerous Method or Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T01:59:20.496Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-23-1015",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1015/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://inductiveautomation.com/blog/inductive-automation-participates-in-pwn2own-to-strengthen-ignition-security"
            }
          ],
          "source": {
            "lang": "en",
            "value": "20urdjk"
          },
          "title": "Inductive Automation Ignition OPC UA Quick Client Task Scheduling Exposed Dangerous Function Remote Code Execution Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-38124",
        "datePublished": "2024-05-03T01:59:20.496Z",
        "dateReserved": "2023-07-12T15:22:20.623Z",
        "dateUpdated": "2024-08-02T17:30:14.097Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-38123 (GCVE-0-2023-38123)

    Vulnerability from nvd – Published: 2024-05-03 01:59 – Updated: 2024-08-02 17:30
    VLAI
    Title
    Inductive Automation Ignition OPC UA Quick Client Missing Authentication for Critical Function Authentication Bypass Vulnerability
    Summary
    Inductive Automation Ignition OPC UA Quick Client Missing Authentication for Critical Function Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the server configuration. The issue results from the lack of authentication prior to allowing access to password change functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-20540.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Affected: 8.1.24
    Create a notification for this product.
    inductiveautomation ignition Affected: 8.1.24
        cpe:2.3:a:inductiveautomation:ignition:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2023-08-01 14:07
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:inductiveautomation:ignition:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ignition",
                "vendor": "inductiveautomation",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.1.24"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-38123",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-06T18:20:26.377240Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:28:11.909Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T17:30:14.068Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "ZDI-23-1014",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1014/"
              },
              {
                "name": "vendor-provided URL",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://inductiveautomation.com/blog/inductive-automation-participates-in-pwn2own-to-strengthen-ignition-security"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Ignition",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1.24"
                }
              ]
            }
          ],
          "dateAssigned": "2023-07-12T15:35:25.007Z",
          "datePublic": "2023-08-01T14:07:57.002Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Inductive Automation Ignition OPC UA Quick Client Missing Authentication for Critical Function Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the server configuration. The issue results from the lack of authentication prior to allowing access to password change functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-20540."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306: Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T01:59:19.765Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-23-1014",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1014/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://inductiveautomation.com/blog/inductive-automation-participates-in-pwn2own-to-strengthen-ignition-security"
            }
          ],
          "source": {
            "lang": "en",
            "value": "20urdjk"
          },
          "title": "Inductive Automation Ignition OPC UA Quick Client Missing Authentication for Critical Function Authentication Bypass Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-38123",
        "datePublished": "2024-05-03T01:59:19.765Z",
        "dateReserved": "2023-07-12T15:22:20.623Z",
        "dateUpdated": "2024-08-02T17:30:14.068Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-38122 (GCVE-0-2023-38122)

    Vulnerability from nvd – Published: 2024-05-03 01:59 – Updated: 2024-08-02 17:30
    VLAI
    Title
    Inductive Automation Ignition OPC UA Quick Client Permissive Cross-domain Policy Remote Code Execution Vulnerability
    Summary
    Inductive Automation Ignition OPC UA Quick Client Permissive Cross-domain Policy Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the configuration of the web server. The issue results from the lack of appropriate Content Security Policy headers. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of SYSTEM. Was ZDI-CAN-20539.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-942 - Permissive Cross-domain Policy with Untrusted Domains
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Affected: 8.1.24
    Create a notification for this product.
    inductiveautomation ignition Affected: 8.1.24
        cpe:2.3:a:inductiveautomation:ignition:8.1.24:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2023-08-01 14:07
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:inductiveautomation:ignition:8.1.24:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ignition",
                "vendor": "inductiveautomation",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.1.24"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-38122",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-06T18:46:07.517841Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-19T21:01:09.444Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T17:30:13.908Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "ZDI-23-1013",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1013/"
              },
              {
                "name": "vendor-provided URL",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://inductiveautomation.com/blog/inductive-automation-participates-in-pwn2own-to-strengthen-ignition-security"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Ignition",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1.24"
                }
              ]
            }
          ],
          "dateAssigned": "2023-07-12T15:35:24.997Z",
          "datePublic": "2023-08-01T14:07:46.401Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Inductive Automation Ignition OPC UA Quick Client Permissive Cross-domain Policy Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.\n\nThe specific flaw exists within the configuration of the web server. The issue results from the lack of appropriate Content Security Policy headers. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of SYSTEM. Was ZDI-CAN-20539."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-942",
                  "description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T01:59:19.031Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-23-1013",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1013/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://inductiveautomation.com/blog/inductive-automation-participates-in-pwn2own-to-strengthen-ignition-security"
            }
          ],
          "source": {
            "lang": "en",
            "value": "20urdjk"
          },
          "title": "Inductive Automation Ignition OPC UA Quick Client Permissive Cross-domain Policy Remote Code Execution Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-38122",
        "datePublished": "2024-05-03T01:59:19.031Z",
        "dateReserved": "2023-07-12T15:22:20.623Z",
        "dateUpdated": "2024-08-02T17:30:13.908Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-38121 (GCVE-0-2023-38121)

    Vulnerability from nvd – Published: 2024-05-03 01:59 – Updated: 2024-08-02 17:30
    VLAI
    Title
    Inductive Automation Ignition OPC UA Quick Client Cross-Site Scripting Remote Code Execution Vulnerability
    Summary
    Inductive Automation Ignition OPC UA Quick Client Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the id parameter provided to the Inductive Automation Ignition web interface. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-20355.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Affected: 8.1.24
    Create a notification for this product.
    inductiveautomation ignition Affected: 8.1.24
        cpe:2.3:a:inductiveautomation:ignition:8.1.24:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2023-08-01 14:07
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:inductiveautomation:ignition:8.1.24:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ignition",
                "vendor": "inductiveautomation",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.1.24"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-38121",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-19T14:12:50.388895Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-29T20:29:46.334Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T17:30:14.050Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "ZDI-23-1012",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1012/"
              },
              {
                "name": "vendor-provided URL",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://inductiveautomation.com/blog/inductive-automation-participates-in-pwn2own-to-strengthen-ignition-security"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Ignition",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1.24"
                }
              ]
            }
          ],
          "dateAssigned": "2023-07-12T15:35:24.991Z",
          "datePublic": "2023-08-01T14:07:38.431Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Inductive Automation Ignition OPC UA Quick Client Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of the id parameter provided to the Inductive Automation Ignition web interface. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-20355."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T01:59:18.329Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-23-1012",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1012/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://inductiveautomation.com/blog/inductive-automation-participates-in-pwn2own-to-strengthen-ignition-security"
            }
          ],
          "source": {
            "lang": "en",
            "value": "20urdjk"
          },
          "title": "Inductive Automation Ignition OPC UA Quick Client Cross-Site Scripting Remote Code Execution Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-38121",
        "datePublished": "2024-05-03T01:59:18.329Z",
        "dateReserved": "2023-07-12T15:22:20.623Z",
        "dateUpdated": "2024-08-02T17:30:14.050Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-13913 (GCVE-0-2025-13913)

    Vulnerability from cvelistv5 – Published: 2026-03-12 18:17 – Updated: 2026-03-17 15:29
    VLAI
    Title
    Inductive Automation Ignition Software Deserialization of Untrusted Data
    Summary
    A privileged Ignition user, intentionally or otherwise, imports an external file with a specially crafted payload, which executes embedded malicious code.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Software Affected: 0 , < 8.3.0 (custom)
    Unaffected: 8.3.0
    Create a notification for this product.
    Date Public
    2026-03-12 15:00
    Credits
    Nik Tsytsarkin, Ismail Aydemir, and Ryan Hall of Meta reported this vulnerability to Inductive Automation.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-13913",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-12T19:06:06.866760Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-12T19:06:53.296Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Ignition Software",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "lessThan": "8.3.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "8.3.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nik Tsytsarkin, Ismail Aydemir, and Ryan Hall of Meta reported this vulnerability to Inductive Automation."
            }
          ],
          "datePublic": "2026-03-12T15:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan\u003eA privileged Ignition user, intentionally or otherwise, imports an external file with a specially crafted payload, which executes embedded malicious code.\u003c/span\u003e"
                }
              ],
              "value": "A privileged Ignition user, intentionally or otherwise, imports an external file with a specially crafted payload, which executes embedded malicious code."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-17T15:29:47.962Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-06"
            },
            {
              "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-071-06.json"
            },
            {
              "url": "https://inductiveautomation.com/resources/article/ignition-security-hardening-guide"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Upgrade Ignition software from 8.1.x to 8.3.0 or greater."
                }
              ],
              "value": "Upgrade Ignition software from 8.1.x to 8.3.0 or greater."
            }
          ],
          "source": {
            "advisory": "ICSA-26-071-06",
            "discovery": "EXTERNAL"
          },
          "title": "Inductive Automation Ignition Software Deserialization of Untrusted Data",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "MITIGATION (8.1.x Linux). Implement Ignition Security Hardening Guide \nAppendix A. \nhttps://inductiveautomation.com/resources/article/ignition-security-hardening-guide"
                }
              ],
              "value": "MITIGATION (8.1.x Linux). Implement Ignition Security Hardening Guide \nAppendix A. \nhttps://inductiveautomation.com/resources/article/ignition-security-hardening-guide"
            },
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\nMITIGATION (8.1.x Windows). Covered in Ignition Security Hardening Guide\n Appendix A.\u0026nbsp;\u003c/div\u003e\u003cdiv\u003e\u003col\u003e\u003cli\u003eCreate a new dedicated local Windows account that will \nbe used exclusively for the Ignition service (e.g. svc-ign).\u0026nbsp;a. The best\n security practice is that the Ignition service should not be a domain \naccount (unless otherwise needed). b. Remove all group memberships from \nthe service account (including Users and Administrators). c. Add to \nsecurity policy to log in as a service. d. Add to \"Deny log on locally\" \nsecurity policy.\u0026nbsp;\u003c/li\u003e\u003cli\u003eProvide full read/write access only to the Ignition \ninstallation directory for the service account created in #1. a. Add \nread/write permissions to other directories in the local filesystem as \nneeded (e.g.: if configured to use optional Enterprise Administration \nModule to write automated backups to the file system).\u0026nbsp;\u003c/li\u003e\u003cli\u003eSet deny \naccess settings for service account on other directories not needed by \nthe Ignition service. a. Specifically the C:\\Windows, C:\\Users, and \ndirectories for any other applications in the Program Files or Program \nFiles(x86) directories. b. Use java param to change temp directory to a \nlocation within the Ignition install directory so the Users folder can \nbe denied access to the Ignition service account.\u003c/li\u003e\u003cli\u003eRestrict project imports to verified \nand trusted sources only, ideally using checksums or digital \nsignatures.\u003c/li\u003e\u003cli\u003eUse multiple environments (e.g. Dev, Test, Prod) with a \nstaging workflow so that new data is never introduced directly to\u0026nbsp; \nproduction environments. See Ignition Deployment Best Practices.\u003c/li\u003e\u003cli\u003eWhen \nfeasible, segment or isolate Ignition gateways from corporate resources \nand Windows Domains.a. The Ignition service account or AD server object \nshould never need Windows Domain or Windows Active Directory privileges.\n This would only be needed if an Asset Owners IT or OT department uses \nthis for management outside Ignition.b. Ignition may be federated with \nActive Directory environments (e.g. OT domains) by entering \n\"Authentication Profile\" credentials within the Ignition gateway itself.\n This could use secure LDAP, SAML, or OpenID Connect.\u003c/li\u003e\u003cli\u003eWhen feasible, \nenforce strong credential management and MFA for all users with Designer\n permissions (8.1.x and 8.3.x), Config Page permissions (8.1.x), and \nConfig Write permissions (8.3.x).\u003c/li\u003e\u003cli\u003eWhen feasible, deploy Ignition \nwithin hardened or containerized environments.\n\n\n\n\u003cbr\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/div\u003e"
                }
              ],
              "value": "MITIGATION (8.1.x Windows). Covered in Ignition Security Hardening Guide\n Appendix A.\u00a0\n\n  *  Create a new dedicated local Windows account that will \nbe used exclusively for the Ignition service (e.g. svc-ign).\u00a0a. The best\n security practice is that the Ignition service should not be a domain \naccount (unless otherwise needed). b. Remove all group memberships from \nthe service account (including Users and Administrators). c. Add to \nsecurity policy to log in as a service. d. Add to \"Deny log on locally\" \nsecurity policy.\u00a0\n  *  Provide full read/write access only to the Ignition \ninstallation directory for the service account created in #1. a. Add \nread/write permissions to other directories in the local filesystem as \nneeded (e.g.: if configured to use optional Enterprise Administration \nModule to write automated backups to the file system).\u00a0\n  *  Set deny \naccess settings for service account on other directories not needed by \nthe Ignition service. a. Specifically the C:\\Windows, C:\\Users, and \ndirectories for any other applications in the Program Files or Program \nFiles(x86) directories. b. Use java param to change temp directory to a \nlocation within the Ignition install directory so the Users folder can \nbe denied access to the Ignition service account.\n  *  Restrict project imports to verified \nand trusted sources only, ideally using checksums or digital \nsignatures.\n  *  Use multiple environments (e.g. Dev, Test, Prod) with a \nstaging workflow so that new data is never introduced directly to\u00a0 \nproduction environments. See Ignition Deployment Best Practices.\n  *  When \nfeasible, segment or isolate Ignition gateways from corporate resources \nand Windows Domains.a. The Ignition service account or AD server object \nshould never need Windows Domain or Windows Active Directory privileges.\n This would only be needed if an Asset Owners IT or OT department uses \nthis for management outside Ignition.b. Ignition may be federated with \nActive Directory environments (e.g. OT domains) by entering \n\"Authentication Profile\" credentials within the Ignition gateway itself.\n This could use secure LDAP, SAML, or OpenID Connect.\n  *  When feasible, \nenforce strong credential management and MFA for all users with Designer\n permissions (8.1.x and 8.3.x), Config Page permissions (8.1.x), and \nConfig Write permissions (8.3.x).\n  *  When feasible, deploy Ignition \nwithin hardened or containerized environments."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 1.0.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2025-13913",
        "datePublished": "2026-03-12T18:17:22.839Z",
        "dateReserved": "2025-12-02T17:43:55.964Z",
        "dateUpdated": "2026-03-17T15:29:47.962Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-50233 (GCVE-0-2023-50233)

    Vulnerability from cvelistv5 – Published: 2024-05-03 02:14 – Updated: 2024-08-02 22:09
    VLAI
    Title
    Inductive Automation Ignition getJavaExecutable Directory Traversal Remote Code Execution Vulnerability
    Summary
    Inductive Automation Ignition getJavaExecutable Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must connect to a malicious server. The specific flaw exists within the getJavaExecutable method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22029.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Affected: 8.1.31
    Create a notification for this product.
    inductiveautomation ignition Affected: 8.1.31
        cpe:2.3:a:inductiveautomation:ignition:8.1.31:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-02-21 19:14
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:inductiveautomation:ignition:8.1.31:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ignition",
                "vendor": "inductiveautomation",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.1.31"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-50233",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-19T14:09:00.610715Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-19T21:03:14.575Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:09:49.895Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "ZDI-24-185",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-185/"
              },
              {
                "name": "vendor-provided URL",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Ignition",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1.31"
                }
              ]
            }
          ],
          "dateAssigned": "2023-12-05T19:37:59.749Z",
          "datePublic": "2024-02-21T19:14:57.983Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Inductive Automation Ignition getJavaExecutable Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must connect to a malicious server.\n\nThe specific flaw exists within the getJavaExecutable method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22029."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T02:14:49.645Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-24-185",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-185/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative"
          },
          "title": "Inductive Automation Ignition getJavaExecutable Directory Traversal Remote Code Execution Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-50233",
        "datePublished": "2024-05-03T02:14:49.645Z",
        "dateReserved": "2023-12-05T16:15:17.545Z",
        "dateUpdated": "2024-08-02T22:09:49.895Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-50232 (GCVE-0-2023-50232)

    Vulnerability from cvelistv5 – Published: 2024-05-03 02:14 – Updated: 2024-08-02 22:09
    VLAI
    Title
    Inductive Automation Ignition getParams Argument Injection Remote Code Execution Vulnerability
    Summary
    Inductive Automation Ignition getParams Argument Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must connect to a malicious server. The specific flaw exists within the getParams method. The issue results from the lack of proper validation of a user-supplied string before using it to prepare an argument for a system call. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22028.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Affected: 8.1.31
    Create a notification for this product.
    inductiveautomation ignition Affected: 8.1.31 , < 8.1.35 (custom)
        cpe:2.3:a:inductiveautomation:ignition:8.1.31:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-02-21 19:14
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:inductiveautomation:ignition:8.1.31:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ignition",
                "vendor": "inductiveautomation",
                "versions": [
                  {
                    "lessThan": "8.1.35",
                    "status": "affected",
                    "version": "8.1.31",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-50232",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-14T19:21:19.849756Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-14T19:25:30.871Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:09:49.865Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "ZDI-24-184",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-184/"
              },
              {
                "name": "vendor-provided URL",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Ignition",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1.31"
                }
              ]
            }
          ],
          "dateAssigned": "2023-12-05T19:37:59.744Z",
          "datePublic": "2024-02-21T19:14:52.766Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Inductive Automation Ignition getParams Argument Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must connect to a malicious server.\n\nThe specific flaw exists within the getParams method. The issue results from the lack of proper validation of a user-supplied string before using it to prepare an argument for a system call. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22028."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-88",
                  "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T02:14:48.881Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-24-184",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-184/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative"
          },
          "title": "Inductive Automation Ignition getParams Argument Injection Remote Code Execution Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-50232",
        "datePublished": "2024-05-03T02:14:48.881Z",
        "dateReserved": "2023-12-05T16:15:17.545Z",
        "dateUpdated": "2024-08-02T22:09:49.865Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-50223 (GCVE-0-2023-50223)

    Vulnerability from cvelistv5 – Published: 2024-05-03 02:14 – Updated: 2024-08-02 22:09
    VLAI
    Title
    Inductive Automation Ignition ExtendedDocumentCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability
    Summary
    Inductive Automation Ignition ExtendedDocumentCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability. The specific flaw exists within the ExtendedDocumentCodec class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-22127.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Affected: 6.4.1.207
    Create a notification for this product.
    inductiveautomation ignition Affected: 6.4.1.207
        cpe:2.3:a:inductiveautomation:ignition:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-01-05 15:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:inductiveautomation:ignition:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ignition",
                "vendor": "inductiveautomation",
                "versions": [
                  {
                    "status": "affected",
                    "version": "6.4.1.207"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-50223",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-17T16:48:13.947162Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-17T17:05:08.998Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:09:49.796Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "ZDI-24-018",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-018/"
              },
              {
                "name": "vendor-provided URL",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Ignition",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "status": "affected",
                  "version": "6.4.1.207"
                }
              ]
            }
          ],
          "dateAssigned": "2023-12-05T19:37:59.691Z",
          "datePublic": "2024-01-05T15:00:27.138Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Inductive Automation Ignition ExtendedDocumentCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the ExtendedDocumentCodec class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-22127."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T02:14:42.233Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-24-018",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-018/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Andy Niu of Trend Micro Security Research"
          },
          "title": "Inductive Automation Ignition ExtendedDocumentCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-50223",
        "datePublished": "2024-05-03T02:14:42.233Z",
        "dateReserved": "2023-12-05T16:15:17.542Z",
        "dateUpdated": "2024-08-02T22:09:49.796Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-50222 (GCVE-0-2023-50222)

    Vulnerability from cvelistv5 – Published: 2024-05-03 02:14 – Updated: 2024-08-02 22:09
    VLAI
    Title
    Inductive Automation Ignition ResponseParser Notification Deserialization of Untrusted Data Remote Code Execution Vulnerability
    Summary
    Inductive Automation Ignition ResponseParser Notification Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must connect to a malicious server. The specific flaw exists within the ResponseParser method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22067.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Affected: 8.1.31
    Create a notification for this product.
    inductiveautomation ignition Affected: 8.1.31
        cpe:2.3:a:inductiveautomation:ignition:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-01-05 15:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:inductiveautomation:ignition:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ignition",
                "vendor": "inductiveautomation",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.1.31"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-50222",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-03T21:03:47.740884Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:17:59.944Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:09:49.870Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "ZDI-24-017",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-017/"
              },
              {
                "name": "vendor-provided URL",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Ignition",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1.31"
                }
              ]
            }
          ],
          "dateAssigned": "2023-12-05T19:37:59.686Z",
          "datePublic": "2024-01-05T15:00:22.033Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Inductive Automation Ignition ResponseParser Notification Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must connect to a malicious server.\n\nThe specific flaw exists within the ResponseParser method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22067."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T02:14:41.474Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-24-017",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-017/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative"
          },
          "title": "Inductive Automation Ignition ResponseParser Notification Deserialization of Untrusted Data Remote Code Execution Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-50222",
        "datePublished": "2024-05-03T02:14:41.474Z",
        "dateReserved": "2023-12-05T16:15:17.542Z",
        "dateUpdated": "2024-08-02T22:09:49.870Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-50221 (GCVE-0-2023-50221)

    Vulnerability from cvelistv5 – Published: 2024-05-03 02:14 – Updated: 2024-08-02 22:09
    VLAI
    Title
    Inductive Automation Ignition ResponseParser SerializedResponse Deserialization of Untrusted Data Remote Code Execution Vulnerability
    Summary
    Inductive Automation Ignition ResponseParser SerializedResponse Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must connect to a malicious server. The specific flaw exists within the ResponseParser method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-21926.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Affected: 8.1.31
    Create a notification for this product.
    inductiveautomation ignition Affected: 8.1.31
        cpe:2.3:a:inductiveautomation:ignition:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-01-05 15:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:inductiveautomation:ignition:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ignition",
                "vendor": "inductiveautomation",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.1.31"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-50221",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-17T19:58:04.180966Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-17T20:01:39.250Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:09:49.681Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "ZDI-24-016",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-016/"
              },
              {
                "name": "vendor-provided URL",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Ignition",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1.31"
                }
              ]
            }
          ],
          "dateAssigned": "2023-12-05T19:37:59.678Z",
          "datePublic": "2024-01-05T15:00:17.168Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Inductive Automation Ignition ResponseParser SerializedResponse Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must connect to a malicious server.\n\nThe specific flaw exists within the ResponseParser method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-21926."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T02:14:40.701Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-24-016",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-016/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Nguyen Quoc Viet (Petrus Viet) of VNG Security Researcher"
          },
          "title": "Inductive Automation Ignition ResponseParser SerializedResponse Deserialization of Untrusted Data Remote Code Execution Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-50221",
        "datePublished": "2024-05-03T02:14:40.701Z",
        "dateReserved": "2023-12-05T16:15:17.542Z",
        "dateUpdated": "2024-08-02T22:09:49.681Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-50220 (GCVE-0-2023-50220)

    Vulnerability from cvelistv5 – Published: 2024-05-03 02:14 – Updated: 2024-08-02 22:09
    VLAI
    Title
    Inductive Automation Ignition Base64Element Deserialization of Untrusted Data Remote Code Execution Vulnerability
    Summary
    Inductive Automation Ignition Base64Element Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability. The specific flaw exists within the Base64Element class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-21801.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Affected: 8.1.30
    Create a notification for this product.
    inductiveautomation ignition Affected: 8.1.30
        cpe:2.3:a:inductiveautomation:ignition:8.1.3:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-01-05 15:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:inductiveautomation:ignition:8.1.3:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ignition",
                "vendor": "inductiveautomation",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.1.30"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-50220",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-21T18:14:54.610553Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:17:50.778Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:09:49.876Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "ZDI-24-015",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-015/"
              },
              {
                "name": "vendor-provided URL",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Ignition",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1.30"
                }
              ]
            }
          ],
          "dateAssigned": "2023-12-05T19:37:59.672Z",
          "datePublic": "2024-01-05T15:00:11.022Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Inductive Automation Ignition Base64Element Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the Base64Element class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-21801."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T02:14:39.917Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-24-015",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-015/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Nguyen Quoc Viet (Petrus Viet) of VNG Security Researcher"
          },
          "title": "Inductive Automation Ignition Base64Element Deserialization of Untrusted Data Remote Code Execution Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-50220",
        "datePublished": "2024-05-03T02:14:39.917Z",
        "dateReserved": "2023-12-05T16:15:17.542Z",
        "dateUpdated": "2024-08-02T22:09:49.876Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-50219 (GCVE-0-2023-50219)

    Vulnerability from cvelistv5 – Published: 2024-05-03 02:14 – Updated: 2024-08-02 22:09
    VLAI
    Title
    Inductive Automation Ignition RunQuery Deserialization of Untrusted Data Remote Code Execution Vulnerability
    Summary
    Inductive Automation Ignition RunQuery Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability. The specific flaw exists within the RunQuery class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-21625.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Affected: 8.1.30
    Create a notification for this product.
    inductiveautomation ignition Affected: 8.1.30
        cpe:2.3:a:inductiveautomation:ignition:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-01-05 15:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:inductiveautomation:ignition:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ignition",
                "vendor": "inductiveautomation",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.1.30"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-50219",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-03T20:15:14.831755Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:17:51.888Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:09:49.777Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "ZDI-24-014",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-014/"
              },
              {
                "name": "vendor-provided URL",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Ignition",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1.30"
                }
              ]
            }
          ],
          "dateAssigned": "2023-12-05T19:37:59.667Z",
          "datePublic": "2024-01-05T15:00:05.498Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Inductive Automation Ignition RunQuery Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the RunQuery class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-21625."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T02:14:39.147Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-24-014",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-014/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Nguyen Quoc Viet (Petrus Viet) of VNG Security Researcher"
          },
          "title": "Inductive Automation Ignition RunQuery Deserialization of Untrusted Data Remote Code Execution Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-50219",
        "datePublished": "2024-05-03T02:14:39.147Z",
        "dateReserved": "2023-12-05T16:15:17.542Z",
        "dateUpdated": "2024-08-02T22:09:49.777Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-50218 (GCVE-0-2023-50218)

    Vulnerability from cvelistv5 – Published: 2024-05-03 02:14 – Updated: 2024-08-02 22:09
    VLAI
    Title
    Inductive Automation Ignition ModuleInvoke Deserialization of Untrusted Data Remote Code Execution Vulnerability
    Summary
    Inductive Automation Ignition ModuleInvoke Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability. The specific flaw exists within the ModuleInvoke class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-21624.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Affected: 8.1.30
    Create a notification for this product.
    inductiveautomation ignition Affected: 8.1.3
        cpe:2.3:a:inductiveautomation:ignition:8.1.3:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-01-05 14:56
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:inductiveautomation:ignition:8.1.3:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ignition",
                "vendor": "inductiveautomation",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.1.3"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-50218",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-06T20:56:49.694175Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:17:58.468Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:09:49.786Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "ZDI-23-1813",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1813/"
              },
              {
                "name": "vendor-provided URL",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Ignition",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1.30"
                }
              ]
            }
          ],
          "dateAssigned": "2023-12-05T19:37:59.662Z",
          "datePublic": "2024-01-05T14:56:04.085Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Inductive Automation Ignition ModuleInvoke Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the ModuleInvoke class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-21624."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T02:14:38.394Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-23-1813",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1813/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Nguyen Quoc Viet (Petrus Viet) of VNG Security Researcher"
          },
          "title": "Inductive Automation Ignition ModuleInvoke Deserialization of Untrusted Data Remote Code Execution Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-50218",
        "datePublished": "2024-05-03T02:14:38.394Z",
        "dateReserved": "2023-12-05T16:15:17.542Z",
        "dateUpdated": "2024-08-02T22:09:49.786Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-39477 (GCVE-0-2023-39477)

    Vulnerability from cvelistv5 – Published: 2024-05-03 02:10 – Updated: 2024-08-02 18:10
    VLAI
    Title
    Inductive Automation Ignition ConditionRefresh Resource Exhaustion Denial-of-Service Vulnerability
    Summary
    Inductive Automation Ignition ConditionRefresh Resource Exhaustion Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Inductive Automation Ignition. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of OPC UA ConditionRefresh requests. By sending a large number of requests, an attacker can consume all available resources on the server. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-20499.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption ('Resource Exhaustion')
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Affected: 8.1.24
    Create a notification for this product.
    inductiveautomation ignition Affected: 8.1.24
        cpe:2.3:a:inductiveautomation:ignition:8.1.24:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2023-08-08 14:49
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:inductiveautomation:ignition:8.1.24:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ignition",
                "vendor": "inductiveautomation",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.1.24"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-39477",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-05T15:47:53.751712Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-05T17:35:42.447Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T18:10:20.832Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "ZDI-23-1050",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1050/"
              },
              {
                "name": "vendor-provided URL",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://inductiveautomation.com/downloads/releasenotes/8.1.33"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Ignition",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1.24"
                }
              ]
            }
          ],
          "dateAssigned": "2023-08-02T21:44:31.510Z",
          "datePublic": "2023-08-08T14:49:31.561Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Inductive Automation Ignition ConditionRefresh Resource Exhaustion Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Inductive Automation Ignition. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of OPC UA ConditionRefresh requests. By sending a large number of requests, an attacker can consume all available resources on the server. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-20499."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption (\u0027Resource Exhaustion\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T02:10:42.854Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-23-1050",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1050/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://inductiveautomation.com/downloads/releasenotes/8.1.33"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Claroty Research - Team82 - Uri Katz, Noam Moshe, Vera Vens, Sharon Brizinov"
          },
          "title": "Inductive Automation Ignition ConditionRefresh Resource Exhaustion Denial-of-Service Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-39477",
        "datePublished": "2024-05-03T02:10:42.854Z",
        "dateReserved": "2023-08-02T21:37:23.124Z",
        "dateUpdated": "2024-08-02T18:10:20.832Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-39476 (GCVE-0-2023-39476)

    Vulnerability from cvelistv5 – Published: 2024-05-03 02:10 – Updated: 2024-08-02 18:10
    VLAI
    Title
    Inductive Automation Ignition JavaSerializationCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability
    Summary
    Inductive Automation Ignition JavaSerializationCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is not required to exploit this vulnerability. The specific flaw exists within the JavaSerializationCodec class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-20291.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    Inductive Automation Ignition Affected: 8.1.25
    Create a notification for this product.
    inductiveautomation ignition Affected: 8.1.22 , < 8.1.35 (custom)
        cpe:2.3:a:inductiveautomation:ignition:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2023-08-08 14:49
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:inductiveautomation:ignition:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "ignition",
                "vendor": "inductiveautomation",
                "versions": [
                  {
                    "lessThan": "8.1.35",
                    "status": "affected",
                    "version": "8.1.22",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-39476",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-05T17:03:23.809391Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-05T20:59:53.039Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T18:10:20.678Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "ZDI-23-1046",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1046/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Ignition",
              "vendor": "Inductive Automation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1.25"
                }
              ]
            }
          ],
          "dateAssigned": "2023-08-02T21:44:31.504Z",
          "datePublic": "2023-08-08T14:49:12.720Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Inductive Automation Ignition JavaSerializationCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the JavaSerializationCodec class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-20291."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-03T02:10:42.122Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-23-1046",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1046/"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Rocco Calvi (@TecR0c) and Steven Seeley (mr_me) of Incite Team"
          },
          "title": "Inductive Automation Ignition JavaSerializationCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-39476",
        "datePublished": "2024-05-03T02:10:42.122Z",
        "dateReserved": "2023-08-02T21:37:23.124Z",
        "dateUpdated": "2024-08-02T18:10:20.678Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }