CVE-2020-12004

The affected product lacks proper authentication required to query the server on the Ignition 8 Gateway (versions prior to 8.0.10) and Ignition 7 Gateway (versions prior to 7.9.14), allowing an attacker to obtain sensitive information.

Recent assessments:

cdelafuente-r7 at June 26, 2020 11:13am UTC reported:

This vulnerability affects Ignition 7 (prior to v7.9.14) and 8 (prior to v8.0.10), an Integrated Software Platform for SCADA systems to do cross-platform web-based deployment. These versions contain multiple vulnerabilities that, when chained together, can lead to preauth remote code execution with SYSTEM user privileges (advisory).

CVE-2020-12004 is one of these vulnerabilities (see also CVE-2020-10644) and is related to an access control issue that enables an attacker to retrieve sensitive information. The com.inductiveautomation.ignition.gateway.servlets.gateway.functions.ProjectDownload Java class provides several actions that do not require authentication. Particularly one of them, getDiffs(), can be used to access all the project data.

This is a medium risk issue when taken alone. However, as explained above, it can be critical when chained with other vulnerabilities.

Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 3