Published:2025/01/14 Last Updated:2025/01/14
JVNVU#96335720
OMRON NJ/NX series vulnerable to path traversal
Overview
OMRON NJ/NX series contain a path traversal vulnerability.
Products Affected
- Machine Automation Controller NJ-series
- NJ101-[][][][], NJ301-[][][][], NJ501-1[]0[]
- Ver.1.64.05 and earlier
- Lot No. 30924(September 30, 2024) and earlier(*1)
- Ver.1.64.05 and earlier
- NJ501-1[]2[], NJ501-1340, NJ501-4[][][], NJ501-5300, NJ501-R[][][]
- Ver.1.64.04 and earlier
- Lot No.30924(September 30, 2024) and earlier(*1)
- Ver.1.64.04 and earlier
(*1) Refer to "ID Information Indication" section of the manual "NJ-series CPU unit Hardware User’s Manual (W500)" regarding how to check Lot No. - NJ101-[][][][], NJ301-[][][][], NJ501-1[]0[]
- Machine Automation Controller NX-series
- NX1P2-[][][][][][], NX1P2-[][][][][][]1
- Ver.1.64.04 and earlier
- Lot No.19Y24(November 19, 2024) and earlier(*2)
- Ver.1.64.04 and earlier
- NX1P2-[][][][][][], NX1P2-[][][][][][]1
Refer to the developer's advisory "Appendix" section regarding how to check the affected versions.
(*2) Refer to "ID Information Indication" section of the manual "NX1P2 CPU Unit User’s Manual (Hardware) (W578)" regarding how to check Lot No.
As for the details, refer to the information provided by the developer.
(*2) Refer to "ID Information Indication" section of the manual "NX1P2 CPU Unit User’s Manual (Hardware) (W578)" regarding how to check Lot No.
As for the details, refer to the information provided by the developer.
Description
Machine Automation Controller NJ/NX series provided by OMRON Corporation contain a path traversal vulnerability (CWE-22, CVE-2024-12083).
Impact
An arbitrary file in the affected product may be accessed or arbitrary code may be executed by processing a specially crafted request sent from a remote attacker with an administrative privilege.
Solution
Update the software
Update the software to the latest version according to the information provided by the developer.
As for how to obtain the update or how to apply the update, refer to the information provided by the developer.
Vendor Status
| Vendor | Link |
| OMRON Corporation | Path Traversal Vulnerabilities in NJ/NX-series Machine Automation Controllers |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Base Score:
6.6
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
OMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.