Information disclosure in Arena

#VU20458 Information disclosure in Arena

Published: 2019-08-29

Vulnerability identifier: #VU20458

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-13511

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Arena
Server applications / Virtualization software

Vendor: Rockwell Automation

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the specific flaw exists within the processing of project files. A remote attacker can trick a victim to open a specially crafted Arena file and gain unauthorized access to sensitive information related to the targeted workstation.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Arena: 14.50.00 - 16.00.00

CPE

cpe:2.3:a:rockwell_automation:arena:16.00.00:*:*:*:*:*:*:*

External links
http://www.us-cert.gov/ics/advisories/icsa-19-213-05

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

OpenSUSE Linux update for git

Gentoo update for Git

OpenSUSE Linux update for git

Amazon Linux AMI update for git

Multiple vulnerabilities in Rockwell Automation Arena Simulation Software