Vulnerability Description
An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. Designer and Vision Client Session IDs are mishandled. An attacker can determine which session IDs were generated in the past and then hijack sessions assigned to these IDs via Randy.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Inductiveautomation | Ignition | < 7.9.20 |
Related Weaknesses (CWE)
References
- https://github.com/sourceincite/randyExploitThird Party Advisory
- https://support.inductiveautomation.com/hc/en-us/articles/7625759776653Vendor Advisory
- https://github.com/sourceincite/randyExploitThird Party Advisory
- https://support.inductiveautomation.com/hc/en-us/articles/7625759776653Vendor Advisory
FAQ
What is CVE-2022-35890?
CVE-2022-35890 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. Designer and Vision Client Session IDs are mishandled. An attacker can determine which session IDs were ge...
How severe is CVE-2022-35890?
CVE-2022-35890 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-35890?
Check the references section above for vendor advisories and patch information. Affected products include: Inductiveautomation Ignition.