Vulnerabilities > CVE-2020-14478 - XXE vulnerability in Rockwellautomation Factorytalk Services Platform

CVSS 5.6 - MEDIUM

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

NONE

Availability impact

PARTIAL

local

low complexity

rockwellautomation

CWE-611

NVD

Published: 2022-02-24

Updated: 2022-03-04

Summary

A local, authenticated attacker could use an XML External Entity (XXE) attack to exploit weakly configured XML files to access local or remote content. A successful exploit could potentially cause a denial-of-service condition and allow the attacker to arbitrarily read any local file via system-level services.

Vulnerable Configurations

Part	Description	Count
Application	Rockwellautomation Rockwellautomation Factorytalk Services Platform - Rockwellautomation Factorytalk Services Platform 2.51.00.8 Rockwellautomation Factorytalk Services Platform 2.61 Rockwellautomation Factorytalk Services Platform 2.71 Rockwellautomation Factorytalk Services Platform 2.73 Rockwellautomation Factorytalk Services Platform 2.74 Rockwellautomation Factorytalk Services Platform 2.80 Rockwellautomation Factorytalk Services Platform 2.90 Rockwellautomation Factorytalk Services Platform 6.10.00 Rockwellautomation Factorytalk Services Platform 6.11.00	10

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://www.cisa.gov/uscert/ics/advisories/icsa-20-177-02