Loading

Datalog Function within in FactoryTalk® View SE Contains SQL Injection Vulnerability

Severity:
High
Advisory ID:
SD1670
发布日期:
May 07, 2024
上次更新时间:
December 03, 2024
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
Corrected:
Workaround:
CVE IDs
CVE-2024-4609
下载
The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:
JSON
摘要
Datalog Function within in FactoryTalk® View SE Contains SQL Injection Vulnerability

 

Published Date:  May 15, 2024

Last updated: August 6, 2025  

May 22, 2024 - Updated corrected software versions

Revision Number: 2.0

CVSS Score: v3.1: 7.6/10, v4.0 8.8/10

 

The security of our products is important to us as your industrial automation supplier. This issue was found internally during routine testing and is being reported based on our commitment to transparency and all business environments.

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

First Known in software version

 

 

 

 

Corrected in software version

 

 

 

 

FactoryTalk® View SE 

 

 

 

 

< 14

 

 

 

 

V11,12,13, 14  or later

 

 

 

SECURITY ISSUE DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.   

A security issue exists in the FactoryTalk® View SE Datalog function. This could allow a threat actor to inject a malicious SQL statement if the SQL database has no authentication in place or if legitimate credentials were stolen. The attack could result in information exposure, revealing sensitive information. A threat actor could then modify and delete the data in a remote database. An attack would only affect the HMI design time, not runtime.    

 

CVE-2024-4609 IMPACT

CVSS v3.1 Base Score: 7.6

CVSS Vector String: CVSS 3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L 

 

CVSS v4.0 Base Score: 8.8

CVSS Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

CWE: CWE-20 Improper input invalidation

 

Known Exploited Vulnerability (KEV) database:  No

 

Users can use Stakeholder-Specific Vulnerability Categorization to create more environmentally specific categories.

 

Mitigations and Workarounds 

Customers using the affected software that are not able to upgrade to one of the corrected versions should use security best practices.  

 

 

ADDITIONAL RESOURCE

The link provides CVE information in Vulnerability Exploitability Exchange (VEX) format. This is machine readable and can be used to automate vulnerability management and tracking activities.     

  • JSON CVE-2024-4609

     

    Glossary

  • HMI Design Time: the process of creating and designing Human-Machine Interface screens
  • Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
  • SQL Statement: Used to communicate with databases. A statement is a command to be understood by the interpreter and executed by the SQL engine.
  • Vulnerability Exploitability Exchange (VEX): a framework that allows software suppliers or other parties to assert the status of specific vulnerabilities in a particular product
Copyright ©2022 Rockwell Automation, Inc.