CVE-2024-21920

A memory buffer vulnerability in Rockwell Automation Arena Simulation could potentially let a threat actor read beyond the intended memory boundaries. This could reveal sensitive information and even cause the application to crash, resulting in a denial-of-service condition. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS v3 4.4 MEDIUM

4.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 2.5

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://www.rockwellautomation.com/en-us/support/advisory.SD-1665.html	Broken Link
https://www.rockwellautomation.com/en-us/support/advisory.SD-1665.html	Broken Link

Configurations

Configuration 1 (hide)

cpe:2.3:a:rockwellautomation:arena:*:*:*:*:*:*:*:*

History

17 Dec 2024, 15:52

Type	Values Removed	Values Added
First Time		Rockwellautomation arena
CPE	cpe:2.3:a:rockwellautomation:arena_simulation::::::::	cpe:2.3:a:rockwellautomation:arena::::::::

09 Dec 2024, 15:25

Type	Values Removed	Values Added
First Time		Rockwellautomation Rockwellautomation arena Simulation
References	~~() https://www.rockwellautomation.com/en-us/support/advisory.SD-1665.html -~~	() https://www.rockwellautomation.com/en-us/support/advisory.SD-1665.html - Broken Link
CPE		cpe:2.3:a:rockwellautomation:arena_simulation::::::::

21 Nov 2024, 08:55

Type	Values Removed	Values Added
References	~~() https://www.rockwellautomation.com/en-us/support/advisory.SD-1665.html -~~	() https://www.rockwellautomation.com/en-us/support/advisory.SD-1665.html -

26 Mar 2024, 17:09

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-03-26 16:15

Updated : 2024-12-17 15:52

NVD link : CVE-2024-21920

Mitre link : CVE-2024-21920

CVE.ORG link : CVE-2024-21920

JSON object : View

Products Affected

rockwellautomation

arena

CWE

CWE-125

Out-of-bounds Read

{"id": "CVE-2024-21920", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "PSIRT@rockwellautomation.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.8}]}, "published": "2024-03-26T16:15:11.277", "references": [{"url": "https://www.rockwellautomation.com/en-us/support/advisory.SD-1665.html", "tags": ["Broken Link"], "source": "PSIRT@rockwellautomation.com"}, {"url": "https://www.rockwellautomation.com/en-us/support/advisory.SD-1665.html", "tags": ["Broken Link"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "PSIRT@rockwellautomation.com", "description": [{"lang": "en", "value": "CWE-125"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-125"}]}], "descriptions": [{"lang": "en", "value": "\n\n\nA memory buffer vulnerability in Rockwell Automation Arena Simulation could potentially let a threat actor read beyond the intended memory boundaries. This could reveal sensitive information and even cause the application to crash, resulting in a denial-of-service condition. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.\n\n\n\n"}, {"lang": "es", "value": "Una vulnerabilidad del b\u00fafer de memoria en Rockwell Automation Arena Simulation podr\u00eda permitir que un actor de amenazas lea m\u00e1s all\u00e1 de los l\u00edmites de memoria previstos. Esto podr\u00eda revelar informaci\u00f3n confidencial e incluso provocar que la aplicaci\u00f3n falle, lo que provocar\u00eda una condici\u00f3n de denegaci\u00f3n de servicio. Para desencadenar esto, el usuario tendr\u00eda que abrir, sin saberlo, un archivo malicioso compartido por el actor de la amenaza."}], "lastModified": "2024-12-17T15:52:01.670", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rockwellautomation:arena:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C8A71AA4-C01D-47F2-B87F-96EF9B461BD1", "versionStartIncluding": "16.00.00"}], "operator": "OR"}]}], "sourceIdentifier": "PSIRT@rockwellautomation.com"}