CVE-2024-11364 HIGH

Published: 2024-12-19 | Last Modified: 2025-07-11 | Status: Analyzed

Description

Another “uninitialized variable” code execution vulnerability exists in the Rockwell Automation Arena® that could allow a threat actor to craft a DOE file and force the software to access a variable prior to it being initialized. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.

Additional Descriptions (1)

Existe otra vulnerabilidad de ejecución de código de “variable no inicializada” en Rockwell Automation Arena® que podría permitir que un actor de amenazas manipular un archivo DOE y obligue al software a acceder a una variable antes de que se inicialice. Si se explota, un actor de amenazas podría aprovechar esta vulnerabilidad para ejecutar código arbitrario. Para explotar esta vulnerabilidad, un usuario legítimo debe ejecutar el código malicioso manipulado por el actor de amenazas.

CVSS Metrics

Base Score: 7.3 (HIGH)

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Vector	LOCAL
Attack Complexity	LOW
Privileges Required	LOW
User Interaction	REQUIRED
Scope	UNCHANGED
Confidentiality Impact	HIGH
Integrity Impact	HIGH
Availability Impact	HIGH

Source: [email protected]

Type: Primary

Exploitability Score: 1.3

Impact Score: 5.9

Base Score: 8.5 (HIGH)

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector	LOCAL
Attack Complexity	LOW
Attack Requirements	NONE
Privileges Required	NONE
User Interaction	PASSIVE
Vulnerability Confidentiality	HIGH
Vulnerability Integrity	HIGH
Vulnerability Availability	HIGH
Subsequent Confidentiality	NONE
Subsequent Integrity	NONE
Subsequent Availability	NONE

Source: [email protected]

Type: Secondary

Weaknesses

Source	Type	Description
[email protected]	Primary	en CWE-908
134c704f-9b21-4f2e-91b3-4a467353bcc0	Secondary	en CWE-908

Affected Products

Vendor	Product	Version	Update	Type
rockwellautomation	arena	*	<built-in method update of dict object at 0x72a9b0d2f100>	Application

Affected Configurations

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:a:rockwellautomation:arena::::::::`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:o:microsoft:windows:-::::::x86:`

References

https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1713.html
Source: [email protected]

Vendor Advisory