SB2024101660 - Multiple vulnerabilities in Rockwell Automation DataMosaix Private Cloud
Published: October 16, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2024-7952)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the hardcoded links in the source code that lead to JSON files that can be reached without authentication. A remote attacker can gain unauthorized access to sensitive information on the system.
2) Missing Authorization (CVE-ID: CVE-2024-7953)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to missing authorization controls in Azure Stack Hyperconverged Infrastructure (HCI). A remote user can create a project and become the administrator for it.
3) Incorrect authorization (CVE-ID: CVE-2024-7956)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to broken access control in several PATCH endpoints. A remote user can gain access to user's projects to modify and delete the project.
Remediation
Install update from vendor's website.