CVE-2020-12005
Severity CVSS v4.0:
Pending analysis
Type:
CWE-434
Unrestricted Upload of File with Dangerous Type
Publication date:
15/06/2020
Last modified:
24/06/2020
Description
FactoryTalk Linx versions 6.00, 6.10, and 6.11, RSLinx Classic v4.11.00 and prior,Connected Components Workbench: Version 12 and prior, ControlFLASH: Version 14 and later, ControlFLASH Plus: Version 1 and later, FactoryTalk Asset Centre: Version 9 and later, FactoryTalk Linx CommDTM: Version 1 and later, Studio 5000 Launcher: Version 31 and later Stud, 5000 Logix Designer software: Version 32 and prior is vulnerable. A vulnerability exists in the communication function that enables users to upload EDS files by FactoryTalk Linx. This may allow an attacker to upload a file with bad compression, consuming all the available CPU resources, leading to a denial-of-service condition.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Base Score 2.0
7.80
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:rockwellautomation:factorytalk_linx:6.00:*:*:*:*:*:*:* | ||
| cpe:2.3:a:rockwellautomation:factorytalk_linx:6.10:*:*:*:*:*:*:* | ||
| cpe:2.3:a:rockwellautomation:factorytalk_linx:6.11:*:*:*:*:*:*:* | ||
| cpe:2.3:a:rockwellautomation:rslinx_classic:*:*:*:*:*:*:*:* | 4.11.00 (including) |
To consult the complete list of CPE names with products and versions, see this page