CVE-2024-10490

Authentication bypass flaw in several mapp components

Severity Score

8.4

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

An “Authentication Bypass Using an Alternate Path or Channel” vulnerability in the OPC UA Server configuration required for B&R mapp Cockpit before 6.0, B&R mapp View before 6.0, B&R mapp Services before 6.0, B&R mapp Motion before 6.0 and B&R mapp Vision before 6.0 may be used by an unauthenticated network-based attacker to cause information disclosure, unintended change of data, or denial of service conditions.
B&R mapp Services is only affected, when mpUserX or mpCodeBox are used in the Automation Studio project.

Una vulnerabilidad de “Omisión de autenticación mediante una ruta o canal alternativo” en la configuración del servidor OPC UA requerida para B&R mapp Cockpit anterior a la versión 6.0, B&R mapp View anterior a la versión 6.0, B&R mapp Services anterior a la versión 6.0, B&R mapp Motion anterior a la versión 6.0 y B&R mapp Vision anterior a la versión 6.0 puede ser utilizada por un atacante no autenticado basado en la red para provocar la divulgación de información, un cambio no intencionado de datos o condiciones de denegación de servicio. B&R mapp Services solo se ve afectado cuando se utilizan mpUserX o mpCodeBox en el proyecto de Automation Studio.

*Credits: N/A

CVSS Scores

Asea Brown Boveri Ltd. (ABB)v4 8.4

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

Present

Privileges Required

None

User Interaction

None

System

Vulnerable | Subsequent

Confidentiality

Low

None

Integrity

High

None

Availability

High

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-10-29 CVE Reserved
2024-12-02 CVE Published
2024-12-02 CVE Updated
2024-12-03 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-288: Authentication Bypass Using an Alternate Path or Channel

CAPEC

References (1)

URL	Tag	Source
https://www.br-automation.com/fileadmin/SA22P014-90c4aa35.pdf

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
B&R Industrial Automation GmbH Search vendor "B&R Industrial Automation GmbH"		B&R Mapp View Search vendor "B&R Industrial Automation GmbH" for product "B&R Mapp View"				>= 5.0 < 6.0 Search vendor "B&R Industrial Automation GmbH" for product "B&R Mapp View" and version " >= 5.0 < 6.0"		en		Affected
B&R Industrial Automation GmbH Search vendor "B&R Industrial Automation GmbH"		B&R Mapp Services Search vendor "B&R Industrial Automation GmbH" for product "B&R Mapp Services"				>= 5.0 < 6.0 Search vendor "B&R Industrial Automation GmbH" for product "B&R Mapp Services" and version " >= 5.0 < 6.0"		en		Affected
B&R Industrial Automation GmbH Search vendor "B&R Industrial Automation GmbH"		B&R Mapp Motion Search vendor "B&R Industrial Automation GmbH" for product "B&R Mapp Motion"				>= 5.0 < 6.0 Search vendor "B&R Industrial Automation GmbH" for product "B&R Mapp Motion" and version " >= 5.0 < 6.0"		en		Affected
B&R Industrial Automation GmbH Search vendor "B&R Industrial Automation GmbH"		B&R Mapp Vision Search vendor "B&R Industrial Automation GmbH" for product "B&R Mapp Vision"				>= 5.0 < 6.0 Search vendor "B&R Industrial Automation GmbH" for product "B&R Mapp Vision" and version " >= 5.0 < 6.0"		en		Affected