Vulnerability Details : CVE-2022-35890
An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. Designer and Vision Client Session IDs are mishandled. An attacker can determine which session IDs were generated in the past and then hijack sessions assigned to these IDs via Randy.
Products affected by CVE-2022-35890
- cpe:2.3:a:inductiveautomation:ignition:*:*:*:*:*:*:*:*
- cpe:2.3:a:inductiveautomation:ignition:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-35890
0.30%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 67 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-35890
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2022-35890
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-35890
-
https://github.com/sourceincite/randy
GitHub - sourceincite/randy: A pre-authenticated RCE exploit for Inductive Automation IgnitionExploit;Third Party Advisory
-
https://support.inductiveautomation.com/hc/en-us/articles/7625759776653
Security checkVendor Advisory
Jump to