Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-38122— Inductive Automation Ignition OPC UA Quick Client Permissive Cross-domain Policy Remote Code Execution Vulnerability

EPSS 0.56% · P69
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-38122

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Inductive Automation Ignition OPC UA Quick Client Permissive Cross-domain Policy Remote Code Execution Vulnerability
Source: NVD (National Vulnerability Database)
Vulnerability Description
Inductive Automation Ignition OPC UA Quick Client Permissive Cross-domain Policy Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the configuration of the web server. The issue results from the lack of appropriate Content Security Policy headers. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of SYSTEM. Was ZDI-CAN-20539.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
过度许可的跨域白名单
Source: NVD (National Vulnerability Database)
Vulnerability Title
Inductive Automation Ignition 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Inductive Automation Ignition是美国Inductive Automation公司的一套用于SCADA系统的集成软件平台。该平台支持SCADA(数据采集与监控系统)、HMI(人机界面)等。 Inductive Automation Ignition存在安全漏洞,该漏洞源于OPC UA Quick Client存在远程代码执行漏洞。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Inductive AutomationIgnition 8.1.24 -

II. Public POCs for CVE-2023-38122

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2023-38122

登录查看更多情报信息。

Same Patch Batch · Inductive Automation · 2024-05-03 · 18 CVEs total

CVE-2023-38124Inductive Automation Ignition OPC UA Quick Client Task Scheduling Exposed Dangerous Functi
CVE-2023-50233Inductive Automation Ignition getJavaExecutable Directory Traversal Remote Code Execution
CVE-2023-50222Inductive Automation Ignition ResponseParser Notification Deserialization of Untrusted Dat
CVE-2023-50223Inductive Automation Ignition ExtendedDocumentCodec Deserialization of Untrusted Data Remo
CVE-2023-50219Inductive Automation Ignition RunQuery Deserialization of Untrusted Data Remote Code Execu
CVE-2023-50221Inductive Automation Ignition ResponseParser SerializedResponse Deserialization of Untrust
CVE-2023-50218Inductive Automation Ignition ModuleInvoke Deserialization of Untrusted Data Remote Code E
CVE-2023-50232Inductive Automation Ignition getParams Argument Injection Remote Code Execution Vulnerabi
CVE-2023-50220Inductive Automation Ignition Base64Element Deserialization of Untrusted Data Remote Code
CVE-2023-39477Inductive Automation Ignition ConditionRefresh Resource Exhaustion Denial-of-Service Vulne
CVE-2023-38121Inductive Automation Ignition OPC UA Quick Client Cross-Site Scripting Remote Code Executi
CVE-2023-38123Inductive Automation Ignition OPC UA Quick Client Missing Authentication for Critical Func
CVE-2023-39472Inductive Automation Ignition SimpleXMLReader XML External Entity Processing Information D
CVE-2023-39476Inductive Automation Ignition JavaSerializationCodec Deserialization of Untrusted Data Rem
CVE-2023-39473Inductive Automation Ignition AbstractGatewayFunction Deserialization of Untrusted Data Re
CVE-2023-39475Inductive Automation Ignition ParameterVersionJavaSerializationCodec Deserialization of Un
CVE-2023-39474Inductive Automation Ignition downloadLaunchClientJar Remote Code Execution Vulnerability

IV. Related Vulnerabilities

Same product: Ignition
Same vendor: Inductive Automation
Same weakness: CWE-942

V. Comments for CVE-2023-38122

No comments yet

Leave a comment