Vulnerability Description
Inductive Automation Ignition OPC UA Quick Client Missing Authentication for Critical Function Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the server configuration. The issue results from the lack of authentication prior to allowing access to password change functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-20540.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Inductiveautomation | Ignition | < 8.1.26 |
Related Weaknesses (CWE)
References
- https://inductiveautomation.com/blog/inductive-automation-participates-in-pwn2owVendor Advisory
- https://www.zerodayinitiative.com/advisories/ZDI-23-1014/Third Party Advisory
- https://inductiveautomation.com/blog/inductive-automation-participates-in-pwn2owVendor Advisory
- https://www.zerodayinitiative.com/advisories/ZDI-23-1014/Third Party Advisory
FAQ
What is CVE-2023-38123?
CVE-2023-38123 is a vulnerability with a CVSS score of 8.8 (HIGH). Inductive Automation Ignition OPC UA Quick Client Missing Authentication for Critical Function Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication ...
How severe is CVE-2023-38123?
CVE-2023-38123 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-38123?
Check the references section above for vendor advisories and patch information. Affected products include: Inductiveautomation Ignition.