CVE-2024-40620

CVE-2024-40620 IMPACT A vulnerability exists in the affected product due to lack of encryption of sensitive information. The vulnerability results in data being sent between the Console and the Dashboard without encryption, which can be seen in the logs of proxy servers, potentially impacting the data's confidentiality.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD%201691.html	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:rockwellautomation:pavilion8:5.20.00:*:*:*:*:*:*:*

History

31 Jan 2025, 15:03

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
Summary		(es) CVE-2024-40620 IMPACT Existe una vulnerabilidad en el producto afectado debido a la falta de cifrado de información confidencial. La vulnerabilidad provoca que los datos se envíen entre la consola y el panel sin cifrado, lo que se puede ver en los registros de los servidores proxy, lo que podría afectar la confidencialidad de los datos.
References	~~() https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD%201691.html -~~	() https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD%201691.html - Vendor Advisory
First Time		Rockwellautomation pavilion8 Rockwellautomation
CPE		cpe:2.3:a:rockwellautomation:pavilion8:5.20.00:::::::*

14 Aug 2024, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-14 20:15

Updated : 2025-01-31 15:03

NVD link : CVE-2024-40620

Mitre link : CVE-2024-40620

CVE.ORG link : CVE-2024-40620

JSON object : View

Products Affected

rockwellautomation

pavilion8

CWE

CWE-311

Missing Encryption of Sensitive Data

{"id": "CVE-2024-40620", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "PSIRT@rockwellautomation.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 5.3, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "LOW", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "LOW", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "LOW", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-08-14T20:15:12.410", "references": [{"url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD%201691.html", "tags": ["Vendor Advisory"], "source": "PSIRT@rockwellautomation.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "PSIRT@rockwellautomation.com", "description": [{"lang": "en", "value": "CWE-311"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-311"}]}], "descriptions": [{"lang": "en", "value": "CVE-2024-40620 IMPACT\n\nA vulnerability exists in the affected product due to lack of encryption of sensitive information. The vulnerability results in data being sent between the Console and the Dashboard without encryption, which can be seen in the logs of proxy servers, potentially impacting the data's confidentiality."}, {"lang": "es", "value": " CVE-2024-40620 IMPACT Existe una vulnerabilidad en el producto afectado debido a la falta de cifrado de informaci\u00f3n confidencial. La vulnerabilidad provoca que los datos se env\u00eden entre la consola y el panel sin cifrado, lo que se puede ver en los registros de los servidores proxy, lo que podr\u00eda afectar la confidencialidad de los datos."}], "lastModified": "2025-01-31T15:03:56.407", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rockwellautomation:pavilion8:5.20.00:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F95BB706-D8F0-45DE-85CC-791D3C4D1AAB"}], "operator": "OR"}]}], "sourceIdentifier": "PSIRT@rockwellautomation.com"}