Vulnerability Details CVE-2017-6015
Without quotation marks, any whitespace in the file path for Rockwell Automation FactoryTalk Activation version 4.00.02 remains ambiguous, which may allow an attacker to link to or run a malicious executable. This may allow an authorized, but not privileged local user to execute arbitrary code with elevated privileges on the system. CVSS v3 base score: 8.8, CVSS vector string: (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). Rockwell Automation has released a new version of FactoryTalk Activation, Version 4.01, which addresses the identified vulnerability. Rockwell Automation recommends upgrading to the latest version of FactoryTalk Activation, Version 4.01 or later.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 16.8%
CVSS Severity
CVSS v3 Score 7.8
CVSS v2 Score 7.2
References
- http://www.securityfocus.com/bid/96996
- https://ics-cert.us-cert.gov/advisories/ICSA-17-047-02
- https://rockwellautomation.custhelp.com/app/answers/detail/a_id/939382
- http://www.securityfocus.com/bid/96996
- https://ics-cert.us-cert.gov/advisories/ICSA-17-047-02
- https://rockwellautomation.custhelp.com/app/answers/detail/a_id/939382
Products affected by CVE-2017-6015
-
cpe:2.3:a:rockwellautomation:factorytalk_activation:4.00.02