Skip to main content

Thinmanager CVE-2024-10387

HIGH
Out-of-bounds Read (CWE-125)
2024-10-25 PSIRT@rockwellautomation.com
8.7
CVSS 4.0 · Vendor: rockwellautomation
Share

Severity by source

Vendor (rockwellautomation) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (rockwellautomation) · only source for this CVE.

CVSS VectorVendor: rockwellautomation

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
CVE Published
Oct 25, 2024 - 17:15 cve.org
HIGH 8.7

DescriptionCVE.org

CVE-2024-10387 IMPACT

A Denial-of-Service vulnerability exists in the affected product. The vulnerability could allow a threat actor with network access to send crafted messages to the device, potentially resulting in Denial-of-Service.

AnalysisAI

CVE-2024-10387 IMPACT A Denial-of-Service vulnerability exists in the affected product. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Out-of-bounds Read (CWE-125), which allows attackers to read data from memory outside the intended buffer boundaries. CVE-2024-10387 IMPACT A Denial-of-Service vulnerability exists in the affected product. The vulnerability could allow a threat actor with network access to send crafted messages to the device, potentially resulting in Denial-of-Service. Affected products include: Rockwellautomation Thinmanager.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate array indices and buffer lengths. Use memory-safe languages. Enable AddressSanitizer during testing.

CVE-2023-27855 CRITICAL POC
9.8 Mar 22

In affected versions, a path traversal exists when processing a message in Rockwell Automation's ThinManager ThinServer.

CVE-2023-27856 HIGH POC
7.5 Mar 22

In affected versions, path traversal exists when processing a message of type 8 in Rockwell Automation's ThinManager Thi

CVE-2022-38742 CRITICAL
9.8 Sep 23

Rockwell Automation ThinManager ThinServer versions 11.0.0 - 13.0.0 is vulnerable to a heap-based buffer overflow. Rated

CVE-2024-10386 CRITICAL
9.3 Oct 25

CVE-2024-10386 IMPACT An authentication vulnerability exists in the affected product. Rated critical severity (CVSS 9.3)

CVE-2024-5989 CRITICAL
9.3 Jun 25

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke SQL injectio

CVE-2024-5988 CRITICAL
9.3 Jun 25

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke a local or r

CVE-2024-5990 HIGH
8.7 Jun 25

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to a monitor thread wi

CVE-2025-3618 HIGH
8.5 Apr 15

A denial-of-service vulnerability exists in the Rockwell Automation ThinManager. Rated high severity (CVSS 8.5), this vu

CVE-2025-3617 HIGH
8.5 Apr 15

A privilege escalation vulnerability exists in the Rockwell Automation ThinManager. Rated high severity (CVSS 8.5), this

CVE-2024-45826 HIGH
8.5 Sep 12

CVE-2024-45826 IMPACT Due to improper input validation, a path traversal and remote code execution vulnerability exists

CVE-2023-2443 HIGH
7.5 May 11

Rockwell Automation ThinManager product allows the use of medium strength ciphers. Rated high severity (CVSS 7.5), this

CVE-2023-27857 HIGH
7.5 Mar 22

In affected versions, a heap-based buffer over-read condition occurs when the message field indicates more data than is

Share

CVE-2024-10387 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy