PT-2024-37960 · Automation Anywhere · Automation 360
Published
2024-07-26
·
Updated
2024-07-29
·
CVE-2024-6922
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Automation Anywhere Automation 360 versions v21 through v32
Description
The issue allows an attacker with unauthenticated access to the Automation 360 Control Room HTTPS service (port 443) or HTTP service (port 80) to trigger arbitrary web requests from the server. This is due to a Server-Side Request Forgery vulnerability in a web API component.
Recommendations
For Automation Anywhere Automation 360 versions v21 through v32, consider restricting access to the Automation 360 Control Room HTTPS and HTTP services to minimize the risk of exploitation. As a temporary workaround, limit the ability of the server to make arbitrary web requests until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Automation 360