Loading

Incorrect Privileges and Path Traversal Vulnerability in Pavilion8®

Severity:
High
Advisory ID:
SD1695
Published Date:
September 11, 2024
Last Updated:
October 16, 2024
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
CVE IDs
CVE-2024-7960 ,
CVE-2024-7961
Downloads
The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:
JSON
JSON
Summary
Incorrect Privileges and Path Traversal Vulnerability in Pavilion8®

Published Date: 9/12/24 
Revision Number: 1.0 
CVSS Score: 3.1: 7.6, 7.2 4.0: 8.8, 7.6 

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments. 

AFFECTED PRODUCTS AND SOLUTION 

Affected Product  Affected Software Version  Corrected in Software Version 
Pavilion8®            <V5.20  V6.0 and later  

 

VULNERABILITY DETAILS 

Rockwell Automation used the latest versions of the CVSS scoring system to assess the vulnerabilities. 

CVE-2024-7960 IMPACT 

The affected product contains a vulnerability that allows a threat actor to view sensitive information and change settings. The vulnerability exists due to having an incorrect privilege matrix that allows users to have access to functions they should not.  

CVSS 3.1 Base Score: 7.6 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L 

CVSS 4.0 Base Score: 8.8 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N 

CWE:  Improper Privilege Management 
Known Exploited Vulnerability (KEV) database: No 

CVE-2024-7961 IMPACT 

A path traversal vulnerability exists in the affected product.  If exploited, the threat actor could upload arbitrary files to the server that could result in a remote code execution.   

CVSS 3.1 Base Score: 7.2 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 

CVSS 4.0 Base Score: 8.6 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N 

CWE:  Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 
Known Exploited Vulnerability (KEV) database: No 

Mitigations and Workarounds 
Customers using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.    

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization. 

ADDITIONAL RESOURCES 

Copyright ©2022 Rockwell Automation, Inc.