CVE-2023-50233: 
Inductive Automation Ignition vulnerability analysis and mitigation

CVE-2023-50233 is a directory traversal vulnerability in Inductive Automation Ignition's getJavaExecutable method that allows remote code execution. The vulnerability was discovered by Piotr Bazydlo of Trend Micro Zero Day Initiative and was disclosed on February 21, 2024. The vulnerability affects Inductive Automation Ignition installations and has been assigned a CVSS score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (ZDI Advisory).

The vulnerability exists within the getJavaExecutable method of Inductive Automation Ignition. The specific flaw stems from the lack of proper validation of a user-supplied path prior to using it in file operations. This vulnerability requires user interaction to exploit, specifically requiring the target to connect to a malicious server (ZDI Advisory).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current user. The high CVSS score of 8.8 indicates severe potential impact on system confidentiality, integrity, and availability (ZDI Advisory).

Inductive Automation has released an update to address this vulnerability. Users are recommended to apply the latest security updates to their Ignition installations (ZDI Advisory, Inductive Security).