Vulnerabilities > CVE-2022-1704 - XXE vulnerability in Inductiveautomation Ignition

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

inductiveautomation

CWE-611

critical

NVD

Published: 2022-08-05

Updated: 2022-08-11

Summary

Due to an XML external entity reference, the software parses XML in the backup/restore functionality without XML security flags, which may lead to a XXE attack while restoring the backup.

Vulnerable Configurations

Part	Description	Count
Application	Inductiveautomation Inductiveautomation Ignition 7.9.0 Inductiveautomation Ignition 7.9.1 Inductiveautomation Ignition 7.9.2 Inductiveautomation Ignition 7.9.3 Inductiveautomation Ignition 7.9.4 Inductiveautomation Ignition 7.9.5 Inductiveautomation Ignition 7.9.6 Inductiveautomation Ignition 7.9.7 Inductiveautomation Ignition 7.9.8 Inductiveautomation Ignition 7.9.9 Inductiveautomation Ignition 7.9.10 Inductiveautomation Ignition 7.9.11 Inductiveautomation Ignition 7.9.12 Inductiveautomation Ignition 7.9.13 Inductiveautomation Ignition 7.9.14 Inductiveautomation Ignition 7.9.15 Inductiveautomation Ignition 7.9.16 Inductiveautomation Ignition 7.9.17 Inductiveautomation Ignition 7.9.18 Inductiveautomation Ignition 7.9.19 Inductiveautomation Ignition 7.9.20 Inductiveautomation Ignition 8.1.0 Inductiveautomation Ignition 8.1.1 Inductiveautomation Ignition 8.1.2 Inductiveautomation Ignition 8.1.3 Inductiveautomation Ignition 8.1.4 Inductiveautomation Ignition 8.1.5 Inductiveautomation Ignition 8.1.6 Inductiveautomation Ignition 8.1.7	29

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://www.cisa.gov/uscert/ics/advisories/icsa-22-207-01