CVE-2017-6015

Without quotation marks, any whitespace in the file path for Rockwell Automation FactoryTalk Activation version 4.00.02 remains ambiguous, which may allow an attacker to link to or run a malicious executable. This may allow an authorized, but not privileged local user to execute arbitrary code with elevated privileges on the system. CVSS v3 base score: 8.8, CVSS vector string: (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). Rockwell Automation has released a new version of FactoryTalk Activation, Version 4.01, which addresses the identified vulnerability. Rockwell Automation recommends upgrading to the latest version of FactoryTalk Activation, Version 4.01 or later.
References
Link Resource
https://rockwellautomation.custhelp.com/app/answers/detail/a_id/939382 Permissions Required Vendor Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-047-02 Third Party Advisory US Government Resource
http://www.securityfocus.com/bid/96996 Third Party Advisory VDB Entry
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

cpe:2.3:a:rockwellautomation:factorytalk_activation:*:*:*:*:*:*:*:*

Information

Published : 2018-05-11 06:29

Updated : 2019-10-09 16:28


NVD link : CVE-2017-6015

Mitre link : CVE-2017-6015


JSON object : View

CWE
CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Advertisement

dedicated server usa

Products Affected

rockwellautomation

  • factorytalk_activation