← Volver a CVEs
CVE-2023-39474
HIGH8.8
Descripcion
Inductive Automation Ignition downloadLaunchClientJar Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must connect to a malicious server. The specific flaw exists within the downloadLaunchClientJar function. The issue results from the lack of validating a remote JAR file prior to loading it. An attacker can leverage this vulnerability to execute code in the context of the current user. . Was ZDI-CAN-19915.
Detalles CVE
Puntuacion CVSS v3.18.8
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioREQUIRED
Publicado5/3/2024
Ultima modificacion3/13/2025
Fuentenvd
Avistamientos honeypot0
Productos afectados
inductiveautomation:ignition
Debilidades (CWE)
CWE-494
Referencias
https://www.zerodayinitiative.com/advisories/ZDI-23-1049/(zdi-disclosures@trendmicro.com)
https://www.zerodayinitiative.com/advisories/ZDI-23-1049/(af854a3a-2127-422b-91ae-364da2661108)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.