{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-11158","assignerOrgId":"b73dd486-f505-4403-b634-40b078b177f0","state":"PUBLISHED","assignerShortName":"Rockwell","dateReserved":"2024-11-12T17:53:12.695Z","datePublished":"2024-12-05T17:41:57.954Z","dateUpdated":"2024-12-06T16:43:59.422Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Arena®","vendor":"Rockwell Automation","versions":[{"status":"affected","version":"All versions 16.20.00 and prior"}]}],"datePublic":"2024-12-05T14:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<span style=\"background-color: rgb(255, 255, 255);\"><span style=\"background-color: rgb(255, 255, 255);\">An “uninitialized variable” code execution vulnerability exists in the \n\nRockwell Automation Arena®\n\n that could allow a threat actor to craft a DOE file and force the software to access a variable before it being initialized. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.</span>\n\n<br></span>\n\n<br>"}],"value":"An “uninitialized variable” code execution vulnerability exists in the \n\nRockwell Automation Arena®\n\n that could allow a threat actor to craft a DOE file and force the software to access a variable before it being initialized. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor."}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"LOCAL","baseScore":8.5,"baseSeverity":"HIGH","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"PASSIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-665","description":"CWE-665 Improper Initialization","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"b73dd486-f505-4403-b634-40b078b177f0","shortName":"Rockwell","dateUpdated":"2024-12-05T17:41:57.954Z"},"references":[{"url":"https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1713.html"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Corrected in software version&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">16.20.06 and later<br><br>\n\n<p><b>Mitigations and Workarounds</b><br>Customers using the affected software are encouraged to apply these risk mitigations, if possible.</p><p>For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested <a target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1085012/loc/en_US#__highlight\">security best practices</a>&nbsp;to minimize the risk of the vulnerability.</p><br></span>"}],"value":"Corrected in software version 16.20.06 and later\n\n\n\nMitigations and Workarounds\nCustomers using the affected software are encouraged to apply these risk mitigations, if possible.\n\nFor information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested  security best practices https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1085012/loc/en_US#__highlight  to minimize the risk of the vulnerability."}],"source":{"advisory":"SD1713","discovery":"EXTERNAL"},"title":"Rockwell Automation Arena® Uninitialized Vulnerability","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"affected":[{"vendor":"rockwellautomation","product":"arena","cpes":["cpe:2.3:a:rockwellautomation:arena:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"0","status":"affected","lessThan":"16.20.00","versionType":"custom"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":6.7,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"HIGH","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2024-12-06T16:42:20.048212Z","id":"CVE-2024-11158","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-12-06T16:43:59.422Z"}}]}}