Loading

Sensitive Data Exposure and Escalating Privileges Vulnerabilities in DataMosaix™ Private Cloud

Severity:
High
Advisory ID:
SD1702
发布日期:
October 04, 2024
上次更新时间:
October 04, 2024
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
Corrected:
Workaround:
CVE IDs
CVE-2024-7952,
CVE-2024-7953,
CVE-2024-7956
摘要
Sensitive Data Exposure and Escalating Privileges Vulnerabilities in DataMosaix™ Private Cloud

Published Date: 10/8/24 

Revision Number: 1.0 
CVSS Score: v3.1: 7.5, 8.8 v4.0: 8.7

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product
 Affected Versions 
 Corrected in Software Version
DataEdgePlatform DataMosaix™ Private Cloud <=7.07 v7.09

 

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-7952 IMPACT

A data exposure vulnerability exists in the affected product. There are hardcoded links in the source code that lead to JSON files that can be reached without authentication. If exploited, a threat actor could view customer data. 

CVSS 3.1 Base Score: 7.5 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS 4.0 Base Score: 8.7 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE:  Exposure of Sensitive Information to an unauthorized Actor 
Known Exploited Vulnerability (KEV) database: No

CVE-2024-7953 IMPACT

 
A vulnerability exists in the affected products that allows a threat actor to create a project and become the administrator for it. If exploited, a threat actor could create, modify, and delete their own project. 

CVSS 3.1 Base Score: 8.8 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.7 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  Missing Authorization 
Known Exploited Vulnerability (KEV) database: No

CVE-2024-7956 IMPACT 

A vulnerability exists in the affected products that allows a threat actor to gain access to user’s projects. To exploit this vulnerability the threat actor must have basic user privileges. If exploited, the threat actor can modify and delete the project. 

CVSS 3.1 Base Score: 8.1 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS 4.0 Base Score: 7.6 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

CWE:  Incorrect Authorization 
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds 
Customers using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.    

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

Copyright ©2022 Rockwell Automation, Inc.