CVE-2022-35890

Published: Jul 15, 2022Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. Designer and Vision Client Session IDs are mishandled. An attacker can determine which session IDs were generated in the past and then hijack sessions assigned to these IDs via Randy.

Affected (2)

Products: Inductiveautomation: Ignition

Inductiveautomation

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Inductiveautomation Ignition	Before 7.9.20
Inductiveautomation Ignition	From 8.0.1 to 8.1.17

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (4)

https://github.com/sourceincite/randy

Source: cve@mitre.org

ExploitThird Party Advisory

https://support.inductiveautomation.com/hc/en-us/articles/7625759776653

Source: cve@mitre.org

Vendor Advisory

https://github.com/sourceincite/randy

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://support.inductiveautomation.com/hc/en-us/articles/7625759776653

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.