Main Vulnerability Database Vulnerabilities #VU29157

#VU29157 Input validation error in FactoryTalk View SE - CVE-2020-12029

Published: June 19, 2020 / Updated: November 20, 2020

Vulnerability identifier: #VU29157

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber

CVE-ID: CVE-2020-12029

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
FactoryTalk View SE

Software vendor:
Rockwell Automation

Description

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient validation of user-supplied input in filenames within a project directory. A remote attacker can use a specially crafted file and execute arbitrary code on the target system.

Remediation

Vendor recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 – Patch Roll-up for CPR9 SRx.

External links

https://ics-cert.us-cert.gov/advisories/icsa-20-170-05

#VU29157 Input validation error in FactoryTalk View SE - CVE-2020-12029

Description

Remediation

External links

Please verify you're human