CVE-2022-35890
Severity Score
9.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. Designer and Vision Client Session IDs are mishandled. An attacker can determine which session IDs were generated in the past and then hijack sessions assigned to these IDs via Randy.
Se ha detectado un problema en Inductive Automation Ignition versiones anteriores a 7.9.20 y versiones 8.x anteriores a 8.1.17. Los identificadores de sesión de los clientes Designer y Vision son manejados de forma inapropiada. Un atacante puede determinar qué IDs de sesión fueron generados en el pasado y luego secuestrar las sesiones asignadas a estos IDs por medio de Randy
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-07-15 CVE Reserved
- 2022-07-15 CVE Published
- 2024-02-05 EPSS Updated
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-863: Incorrect Authorization
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/sourceincite/randy | 2024-08-03 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://support.inductiveautomation.com/hc/en-us/articles/7625759776653 | 2022-07-21 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Inductiveautomation Search vendor "Inductiveautomation" | Ignition Search vendor "Inductiveautomation" for product "Ignition" | < 7.9.20 Search vendor "Inductiveautomation" for product "Ignition" and version " < 7.9.20" | - |
Affected
| ||||||
| Inductiveautomation Search vendor "Inductiveautomation" | Ignition Search vendor "Inductiveautomation" for product "Ignition" | >= 8.0.1 < 8.1.17 Search vendor "Inductiveautomation" for product "Ignition" and version " >= 8.0.1 < 8.1.17" | - |
Affected
| ||||||