Published Date: 10/8/24
Last updated: 10/8/24
Revision Number: 1.0
CVSS Score: v3.1: 6.8, v4.0: 8.4
AFFECTED PRODUCTS AND SOLUTION
Affected Product
|
Affected Versions
|
Corrected in software version
|
Verve® Asset Manager
|
All versions < 1.38
|
V1.38
|
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024-9412 IMPACT
An improper authorization vulnerability exists in the affected products that could allow an unauthorized user to sign in. While removal of all role mappings is unlikely, it could occur in the case of unexpected or accidental removal by the administrator. If exploited, an unauthorized user could access data they previously but should no longer have access to.
CVSS Base Score v3.1: 6.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
CVSS Base Score v4.0: 8.4/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-842: Placement of User into Incorrect Group
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.
The presence of any mappings will help prevent this vulnerability from being exploited. If all mappings must be removed, manually removing previously mapped users is an effective workaround.
ADDITIONAL RESOURCES
