Details of VAR-202407-1425

ID

VAR-202407-1425

CVE

CVE-2024-6435

TITLE

Rockwell Automation Pavilion 8 Privilege Escalation Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2024-34872

DESCRIPTION

A privilege escalation vulnerability exists in the affected products which could allow a malicious user with basic privileges to access functions which should only be available to users with administrative level privileges. If exploited, an attacker could read sensitive data, and create users. For example, a malicious user with basic privileges could perform critical functions such as creating a user with elevated privileges and reading sensitive information in the “views” section. Rockwell Automation Pavilion8 is a model prediction console of Rockwell Automation

Trust: 1.44

sources: NVD: CVE-2024-6435 // CNVD: CNVD-2024-34872

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-34872

AFFECTED PRODUCTS

vendor:	rockwellautomation	model:	pavilion8	scope:	eq	version:	5.15.00	Trust: 1.0
vendor:	rockwellautomation	model:	pavilion8	scope:	eq	version:	5.15.01	Trust: 1.0
vendor:	rockwellautomation	model:	pavilion8	scope:	eq	version:	5.20.00	Trust: 1.0
vendor:	rockwellautomation	model:	pavilion8	scope:	eq	version:	5.16.00	Trust: 1.0
vendor:	rockwellautomation	model:	pavilion8	scope:	eq	version:	5.17.00	Trust: 1.0
vendor:	rockwellautomation	model:	pavilion8	scope:	eq	version:	5.17.01	Trust: 1.0
vendor:	rockwell	model:	automation pavilion	scope:	eq	version:	8>=5.15.00,<=5.20.00	Trust: 0.6

sources: CNVD: CNVD-2024-34872 // NVD: CVE-2024-6435

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2024-6435
value:	HIGH
Trust: 1.0
PSIRT@rockwellautomation.com:	CVE-2024-6435
value:	HIGH
Trust: 1.0
CNVD:	CNVD-2024-34872
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2024-34872
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2024-6435
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2024-34872 // NVD: CVE-2024-6435 // NVD: CVE-2024-6435

PROBLEMTYPE DATA

problemtype:

CWE-732

Trust: 1.0

sources: NVD: CVE-2024-6435

PATCH

title:

Patch for Rockwell Automation Pavilion 8 Privilege Escalation Vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/576361

Trust: 0.6

sources: CNVD: CNVD-2024-34872

EXTERNAL IDS

db:	NVD	id:	CVE-2024-6435	Trust: 1.6
db:	CNVD	id:	CNVD-2024-34872	Trust: 0.6

sources: CNVD: CNVD-2024-34872 // NVD: CVE-2024-6435

REFERENCES

url:	https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.sd1681.html	Trust: 1.0
url:	https://cxsecurity.com/cveshow/cve-2024-6435/	Trust: 0.6

sources: CNVD: CNVD-2024-34872 // NVD: CVE-2024-6435

SOURCES

db:	CNVD	id:	CNVD-2024-34872
db:	NVD	id:	CVE-2024-6435

LAST UPDATE DATE

2025-01-31T23:18:06.704000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2024-34872	date:	2024-08-08T00:00:00
db:	NVD	id:	CVE-2024-6435	date:	2025-01-31T15:01:23.807

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2024-34872	date:	2024-08-08T00:00:00
db:	NVD	id:	CVE-2024-6435	date:	2024-07-16T13:15:13.630