CVE-2023-39477 HIGH

CVE-2023-39477: Inductive Automation Ignition ConditionRefresh Resource Exhaustion Denial-of-Service Vulnerability

Vendor Inductive Automation

Product Ignition

Weakness CWE-400

Published May 3, 2024

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Inductive Automation Ignition ConditionRefresh Resource Exhaustion Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Inductive Automation Ignition. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of OPC UA ConditionRefresh requests. By sending a large number of requests, an attacker can consume all available resources on the server. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-20499.

Key dates

02Disclosure timeline

May 3, 2024 CVE published

August 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-39477 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/400.html

Related vulnerabilities

CVE-2023-39477: Inductive Automation Ignition ConditionRefresh Resource Exhaustion Denial-of-Service Vulnerability

01Description

02Disclosure timeline

03References

04Related CVE