CVE-2020-12034: SQL Injection
First published: Wed May 20 2020(Updated: )
Products that use EDS Subsystem: Version 28.0.1 and prior (FactoryTalk Linx software (Previously called RSLinx Enterprise): Versions 6.00, 6.10, and 6.11, RSLinx Classic: Version 4.11.00 and prior, RSNetWorx software: Version 28.00.00 and prior, Studio 5000 Logix Designer software: Version 32 and prior) is vulnerable.The EDS subsystem does not provide adequate input sanitation, which may allow an attacker to craft specialized EDS files to inject SQL queries and manipulate the database storing the EDS files. This can lead to denial-of-service conditions.
Credit: ics-cert@hq.dhs.gov
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Rockwellautomation Eds Subsystem | <=28.0.1 | |
| Rockwellautomation Rslinx | <=4.11.00 | |
| Rockwellautomation Rslinx Enterprise | =6.00.00 | |
| Rockwellautomation Rslinx Enterprise | =6.10.00 | |
| Rockwellautomation Rslinx Enterprise | =6.11.00 | |
| Rockwellautomation Rsnetworx | <=28.00.00 | |
| Rockwellautomation Studio 5000 Logix Designer | <=32.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-12034?
CVE-2020-12034 is a vulnerability found in the EDS Subsystem of Rockwell Automation products.
Which Rockwell Automation products are affected by CVE-2020-12034?
Products that use EDS Subsystem: Version 28.0.1 and prior, FactoryTalk Linx software (Previously called RSLinx Enterprise): Versions 6.00, 6.10, and 6.11, RSLinx Classic: Version 4.11.00 and prior, RSNetWorx software: Version 28.00.00 and prior, Studio 5000 Logix Designer software: Version 32 and prior.
What is the severity of CVE-2020-12034?
CVE-2020-12034 has a severity rating of 8.2 (high).
How can I fix CVE-2020-12034?
To fix CVE-2020-12034, it is recommended to update the affected Rockwell Automation products to a version that is not vulnerable.
Where can I find more information about CVE-2020-12034?
You can find more information about CVE-2020-12034 on the official US-CERT website at https://www.us-cert.gov/ics/advisories/icsa-20-140-01.
- collector/nvd-index
- agent/weakness
- agent/author
- agent/tags
- agent/type
- agent/description
- agent/event
- agent/severity
- agent/references
- agent/first-publish-date
- agent/last-modified-date
- agent/remedy
- agent/softwarecombine
- vendor/rockwellautomation
- canonical/rockwellautomation eds subsystem
- version/rockwellautomation eds subsystem/28.0.1
- canonical/rockwellautomation rslinx
- version/rockwellautomation rslinx/4.11.00
- canonical/rockwellautomation rslinx enterprise
- version/rockwellautomation rslinx enterprise/6.00.00
- version/rockwellautomation rslinx enterprise/6.10.00
- version/rockwellautomation rslinx enterprise/6.11.00
- canonical/rockwellautomation rsnetworx
- version/rockwellautomation rsnetworx/28.00.00
- canonical/rockwellautomation studio 5000 logix designer
- version/rockwellautomation studio 5000 logix designer/32.0