PT-2022-23000 · Inductive Automation · Inductive Automation Ignition

Published

2022-07-15

Updated

2022-07-21

CVE-2022-35890

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Inductive Automation Ignition versions 7.9.19 and earlier, 8.x versions prior to 8.1.17

Description An issue was discovered where Designer and Vision Client Session IDs are mishandled, allowing an attacker to determine which session IDs were generated in the past and then hijack sessions assigned to these IDs.

Recommendations For Inductive Automation Ignition versions 7.9.19 and earlier, update to version 7.9.20 or later. For Inductive Automation Ignition 8.x versions prior to 8.1.17, update to version 8.1.17 or later.

Exploit

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2022-35890

Affected Products

Inductive Automation Ignition

PT-2022-23000 · Inductive Automation · Inductive Automation Ignition

CVE-2022-35890

Weakness Enumeration

Related Identifiers

Affected Products

References · 5