Lucene search

[email protected]CVE-2020-12029

HistoryJul 20, 2020 - 3:15 p.m.

CVE-2020-12029

2020-07-2015:15:11

CWE-20

[email protected]

web.nvd.nist.gov

factorytalk view se

input validation

vulnerability

remote code execution

rce

rockwell automation

patch

nvd

cve-2020-12029

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

AI Score

7.8

Confidence

High

EPSS

0.045

Percentile

92.5%

JSON

All versions of FactoryTalk View SE do not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE). Rockwell Automation recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 – Patch Roll-up for CPR9 SRx.

Affected configurations

NVD

Node

rockwellautomationfactorytalk_viewMatch-se

VendorProductVersionCPE
rockwellautomationfactorytalk_view-cpe:/a:rockwellautomation:factorytalk_view:-::se:

Vendor	Product	Version	CPE
rockwellautomation	factorytalk_view	-	cpe:/a:rockwellautomation:factorytalk_view:-::se:

CNA Affected

[
  {
    "product": "FactoryTalk View SE",
    "vendor": "Rockwell Automation",
    "versions": [
      {
        "status": "affected",
        "version": "all versions"
      }
    ]
  }
]