CVE-2023-38123

Inductive Automation Ignition OPC UA Quick Client Missing Authentication for Critical Function Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the server configuration. The issue results from the lack of authentication prior to allowing access to password change functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-20540.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://inductiveautomation.com/blog/inductive-automation-participates-in-pwn2own-to-strengthen-ignition-security	Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-1014/	Third Party Advisory
https://inductiveautomation.com/blog/inductive-automation-participates-in-pwn2own-to-strengthen-ignition-security	Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-1014/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:inductiveautomation:ignition:*:*:*:*:*:*:*:*

History

13 Mar 2025, 21:44

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~7.5~~	v2 : unknown v3 : 8.8
References	~~() https://inductiveautomation.com/blog/inductive-automation-participates-in-pwn2own-to-strengthen-ignition-security -~~	() https://inductiveautomation.com/blog/inductive-automation-participates-in-pwn2own-to-strengthen-ignition-security - Vendor Advisory
References	~~() https://www.zerodayinitiative.com/advisories/ZDI-23-1014/ -~~	() https://www.zerodayinitiative.com/advisories/ZDI-23-1014/ - Third Party Advisory
First Time		Inductiveautomation Inductiveautomation ignition
CPE		cpe:2.3:a:inductiveautomation:ignition::::::::

21 Nov 2024, 08:12

Type	Values Removed	Values Added
Summary		(es) Autenticación faltante del cliente rápido OPC UA de Inductive Automation Ignition para vulnerabilidad de omisión de autenticación de función crítica. Esta vulnerabilidad permite a atacantes remotos eludir la autenticación en las instalaciones afectadas de Inductive Automation Ignition. Se requiere la interacción del usuario para aprovechar esta vulnerabilidad, ya que el objetivo debe visitar una página maliciosa o abrir un archivo malicioso. La falla específica existe dentro de la configuración del servidor. El problema se debe a la falta de autenticación antes de permitir el acceso a la función de cambio de contraseña. Un atacante puede aprovechar esta vulnerabilidad para eludir la autenticación en el sistema. Era ZDI-CAN-20540.
References	~~() https://inductiveautomation.com/blog/inductive-automation-participates-in-pwn2own-to-strengthen-ignition-security -~~	() https://inductiveautomation.com/blog/inductive-automation-participates-in-pwn2own-to-strengthen-ignition-security -
References	~~() https://www.zerodayinitiative.com/advisories/ZDI-23-1014/ -~~	() https://www.zerodayinitiative.com/advisories/ZDI-23-1014/ -

03 May 2024, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-05-03 02:15

Updated : 2025-03-13 21:44

NVD link : CVE-2023-38123

Mitre link : CVE-2023-38123

CVE.ORG link : CVE-2023-38123

JSON object : View

Products Affected

inductiveautomation

ignition

CWE

CWE-306

Missing Authentication for Critical Function

8.8 /10