CVE-2023-46290

Due to inadequate code logic, a previously unauthenticated threat actor could potentially obtain a local Windows OS user token through the FactoryTalk Services Platform web service and then use the token to log in into FactoryTalk Services Platform . This vulnerability can only be exploited if the authorized user did not previously log in into the FactoryTalk Services Platform web service.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
RockwellCNA
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 47%
VendorProductVersion
rockwellautomationfactorytalk_services_platform
𝑥
< 2.80
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1141165
https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1141165