{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-37369","assignerOrgId":"b73dd486-f505-4403-b634-40b078b177f0","state":"PUBLISHED","assignerShortName":"Rockwell","dateReserved":"2024-06-06T20:18:27.551Z","datePublished":"2024-06-14T16:50:20.187Z","dateUpdated":"2024-08-02T03:50:56.129Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"FactoryTalk® View SE","vendor":"Rockwell Automation","versions":[{"status":"affected","version":"12.0"}]}],"datePublic":"2024-06-13T13:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"\n\n<span style=\"background-color: rgb(255, 255, 255);\">A privilege escalation vulnerability exists in the affected product. The vulnerability allows low-privilege users to edit scripts, bypassing Access Control Lists, and potentially gaining further access within the system.</span>\n\n"}],"value":"A privilege escalation vulnerability exists in the affected product. The vulnerability allows low-privilege users to edit scripts, bypassing Access Control Lists, and potentially gaining further access within the system."}],"impacts":[{"capecId":"CAPEC-233","descriptions":[{"lang":"en","value":"CAPEC-233 Privilege Escalation"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"LOCAL","baseScore":8.5,"baseSeverity":"HIGH","privilegesRequired":"LOW","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-732","description":"CWE-732 Incorrect Permission Assignment for Critical Resource","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"b73dd486-f505-4403-b634-40b078b177f0","shortName":"Rockwell","dateUpdated":"2024-06-14T16:50:20.187Z"},"references":[{"url":"https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1674.html"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"\n\n<p><b>AFFECTED PRODUCTS AND SOLUTION</b></p><table><tbody><tr><td><p>&nbsp;</p><p>&nbsp;</p><p>Affected Product</p><p>&nbsp;</p><p>&nbsp;</p></td><td><p>&nbsp;</p><p>&nbsp;</p><p>First Known in software version</p><p>&nbsp;</p><p>&nbsp;</p></td><td><p>&nbsp;</p><p>&nbsp;</p><p>Corrected in software version </p><p>&nbsp;</p><p>&nbsp;</p></td></tr><tr><td><p>&nbsp;</p><p>&nbsp;</p><p>FactoryTalk® View SE</p><p>&nbsp;</p><p>&nbsp;</p></td><td><p>&nbsp;</p><p>&nbsp;</p><p>V12.0</p><p>&nbsp;</p><p>&nbsp;</p></td><td><p>&nbsp;</p><p>&nbsp;</p><p>v14</p><p>&nbsp;</p></td></tr></tbody></table><br>\n\n<p><b>Mitigations and Workarounds </b></p><p>Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   </p><ul><li><p>Use the Secure Install option when installing FactoryTalk® Services Platform.</p></li></ul><ul><li><p><a target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1085012/loc/en_US#__highlight\">Security Best Practices</a></p></li></ul>\n\n<br>"}],"value":"AFFECTED PRODUCTS AND SOLUTION\n\n \n\n \n\nAffected Product\n\n \n\n \n\n \n\n \n\nFirst Known in software version\n\n \n\n \n\n \n\n \n\nCorrected in software version \n\n \n\n \n\n \n\n \n\nFactoryTalk® View SE\n\n \n\n \n\n \n\n \n\nV12.0\n\n \n\n \n\n \n\n \n\nv14\n\n \n\n\n\n\nMitigations and Workarounds \n\nUsers using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   \n\n  *  Use the Secure Install option when installing FactoryTalk® Services Platform.\n\n\n\n\n  *   Security Best Practices https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1085012/loc/en_US#__highlight"}],"source":{"discovery":"INTERNAL"},"title":"Rockwell Automation FactoryTalk® View SE Local Privilege Escalation Vulnerability via Local File Permissions","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"affected":[{"vendor":"rockwellautomation","product":"factorytalk_view","cpes":["cpe:2.3:a:rockwellautomation:factorytalk_view:-:*:*:*:se:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"12.0","status":"affected","lessThan":"14.0","versionType":"custom"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-06-14T18:11:26.338616Z","id":"CVE-2024-37369","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-14T18:13:03.399Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T03:50:56.129Z"},"title":"CVE Program Container","references":[{"url":"https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1674.html","tags":["x_transferred"]}]}]}}