Published Date: August 13, 2024
Last updated: August 13, 2024
Revision Number: 1.0
CVSS Score: v3.1: 7.4/10, v4.0: 5.3/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
| Affected Product | First Known in software version | Corrected in software revision |
| Pavilion8® | v5.20 | v6.0 |
Mitigations and Workarounds
Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.
Interactions between the Console and Dashboard take place on the same machine, the machine should exist behind a firewall and physical access should be limited to authorized personnel.
VULNERABILITY DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities.
CVE-2024-40620 IMPACT
A vulnerability exists in the affected product due to lack of encryption of sensitive information. The vulnerability results in data being sent between the Console and the Dashboard without encryption, which can be seen in the logs of proxy servers, potentially impacting the data's confidentiality.
CVSS 3.1 Base Score: 7.4/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
CSVV 4.0 Base Score: 5.3/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
CWE-311: Missing Encryption of Sensitive Data
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.
ADDITIONAL RESOURCES
The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.
JSON CVE-2024-40620
