CVE-2020-12029
Summary
| CVE | CVE-2020-12029 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-07-20 15:15:00 UTC |
| Updated | 2022-01-04 16:37:00 UTC |
| Description | All versions of FactoryTalk View SE do not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE). Rockwell Automation recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 – Patch Roll-up for CPR9 SRx. |
Risk And Classification
Problem Types: CWE-20
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Rockwellautomation | Factorytalk View | - | All | All | All |
| Application | Rockwellautomation | Factorytalk View | - | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Rockwell FactoryTalk View SE SCADA Unauthenticated Remote Code Execution ≈ Packet Storm | MISC | packetstormsecurity.com | |
| This is the Legacy Answer page, redirecting you to the new page. | MISC | rockwellautomation.custhelp.com | Vendor Advisory |
| Rockwell Automation FactoryTalk View SE | CISA | MISC | us-cert.cisa.gov | Third Party Advisory, US Government Resource |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Trend Micro’s Zero Day Initiative reported these vulnerabilities to Rockwell Automation
There are currently no legacy QID mappings associated with this CVE.