CVE-2023-2637

EPSS 0.01%
Veröffentlicht 13.06.2023 21:15:09
Zuletzt bearbeitet 21.11.2024 07:58:58
Quelle PSIRT@rockwellautomation.com
Teams Watchlist Login
Unerledigt Login

Rockwell Automation's FactoryTalk System Services uses a hard-coded cryptographic key to generate administrator cookies.  Hard-coded cryptographic key may lead to privilege escalation.  This vulnerability may allow a local, authenticated non-admin user to generate an invalid administrator cookie giving them administrative privileges to the FactoryTalk Policy Manger database. This may allow the threat actor to make malicious changes to the database that will be deployed when a legitimate FactoryTalk Policy Manager user deploys a security policy model. User interaction is required for this vulnerability to be successfully exploited.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Rockwellautomation ≫ Factorytalk Policy Manager Version6.11.0

Rockwellautomation ≫ Factorytalk System Services Version6.11.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.002

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.2	1.5	6	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
PSIRT@rockwellautomation.com	7.3	1.5	5.3	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H

CWE-321 Use of Hard-coded Cryptographic Key

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

CWE-798 Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1139683

Vendor Advisory

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2023-2637

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-2637

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-2637

EUVD