Opcfoundation
Products by Opcfoundation Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2024 there have been 0 vulnerabilities in Opcfoundation . Last year Opcfoundation had 2 security vulnerabilities published. Right now, Opcfoundation is on track to have less security vulnerabilities in 2024 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 0 | 0.00 |
| 2023 | 2 | 6.40 |
| 2022 | 9 | 7.42 |
| 2021 | 3 | 6.47 |
| 2020 | 2 | 7.45 |
| 2019 | 0 | 0.00 |
| 2018 | 4 | 6.58 |
It may take a day or so for new Opcfoundation vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Opcfoundation Security Vulnerabilities
The OPC UA .NET Standard Reference Server before 1.4.371.86
CVE-2023-31048
5.3 - Medium
- December 12, 2023
The OPC UA .NET Standard Reference Server before 1.4.371.86. places sensitive information into an error message that may be seen remotely.
Generation of Error Message Containing Sensitive Information
The OPC UA Legacy Java Stack before 6f176f2 enables an attacker to block OPC UA server applications via uncontrolled resource consumption so
CVE-2023-32787
7.5 - High
- May 15, 2023
The OPC UA Legacy Java Stack before 6f176f2 enables an attacker to block OPC UA server applications via uncontrolled resource consumption so that they can no longer serve client applications.
Resource Exhaustion
OPC Foundation Local Discovery Server (LDS) through 1.04.403.478 uses a hard-coded file path to a configuration file
CVE-2022-44725
7.8 - High
- November 17, 2022
OPC Foundation Local Discovery Server (LDS) through 1.04.403.478 uses a hard-coded file path to a configuration file. This allows a normal user to create a malicious file that is loaded by LDS (running as a high-privilege user).
Incorrect Permission Assignment for Critical Resource
OPC UA .NET Standard Reference Server 1.04.368
CVE-2022-33916
7.5 - High
- August 23, 2022
OPC UA .NET Standard Reference Server 1.04.368 allows a remote attacker to cause the application to access sensitive information.
OPC UA .NET Standard Stack 1.04.368 allows remote attacker to cause a crash via a crafted message
CVE-2022-29863
7.5 - High
- June 16, 2022
OPC UA .NET Standard Stack 1.04.368 allows remote attacker to cause a crash via a crafted message that triggers excessive memory allocation.
Allocation of Resources Without Limits or Throttling
OPC UA .NET Standard Stack 1.04.368 allows a remote attacker to cause a server to crash via a large number of messages
CVE-2022-29864
7.5 - High
- June 16, 2022
OPC UA .NET Standard Stack 1.04.368 allows a remote attacker to cause a server to crash via a large number of messages that trigger Uncontrolled Resource Consumption.
Resource Exhaustion
OPC UA .NET Standard Stack 1.04.368 allows a remote attacker to exhaust the memory resources of a server via a crafted request
CVE-2022-29866
7.5 - High
- June 16, 2022
OPC UA .NET Standard Stack 1.04.368 allows a remote attacker to exhaust the memory resources of a server via a crafted request that triggers Uncontrolled Resource Consumption.
Resource Exhaustion
An infinite loop in OPC UA .NET Standard Stack 1.04.368
CVE-2022-29862
7.5 - High
- June 16, 2022
An infinite loop in OPC UA .NET Standard Stack 1.04.368 allows a remote attackers to cause the application to hang via a crafted message.
Infinite Loop
OPC UA .NET Standard Stack
CVE-2022-29865
7.5 - High
- June 16, 2022
OPC UA .NET Standard Stack allows a remote attacker to bypass the application authentication check via crafted fake credentials.
authentification
OPC UA Legacy Java Stack 2022-04-01 allows a remote attacker to cause a server to stop processing messages by sending crafted messages
CVE-2022-30551
7.5 - High
- May 20, 2022
OPC UA Legacy Java Stack 2022-04-01 allows a remote attacker to cause a server to stop processing messages by sending crafted messages that exhaust available resources.
Resource Exhaustion
The OPC autogenerated ANSI C stack stubs (in the NodeSets) do not handle all error cases
CVE-2021-45117
6.5 - Medium
- March 21, 2022
The OPC autogenerated ANSI C stack stubs (in the NodeSets) do not handle all error cases. This can lead to a NULL pointer dereference.
NULL Pointer Dereference
In OPC Foundation Local Discovery Server (LDS) before 1.04.402.463, remote attackers can cause a denial of service (DoS) by sending carefully crafted messages
CVE-2021-40142
7.5 - High
- August 27, 2021
In OPC Foundation Local Discovery Server (LDS) before 1.04.402.463, remote attackers can cause a denial of service (DoS) by sending carefully crafted messages that lead to Access of a Memory Location After the End of a Buffer.
Buffer Overflow
OPC Foundation UA .NET Standard versions prior to 1.4.365.48 and OPC UA .NET Legacy are vulnerable to an uncontrolled recursion, which may
CVE-2021-27432
7.5 - High
- May 20, 2021
OPC Foundation UA .NET Standard versions prior to 1.4.365.48 and OPC UA .NET Legacy are vulnerable to an uncontrolled recursion, which may allow an attacker to trigger a stack overflow.
Stack Exhaustion
A Privilege Elevation vulnerability in OPC UA .NET Standard Stack 1.4.363.107 could
CVE-2020-29457
4.4 - Medium
- February 16, 2021
A Privilege Elevation vulnerability in OPC UA .NET Standard Stack 1.4.363.107 could allow a rogue application to establish a secure connection.
Improper Certificate Validation
This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of OPC Foundation UA .NET Standard 1.04.358.30
CVE-2020-8867
7.5 - High
- April 22, 2020
This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of OPC Foundation UA .NET Standard 1.04.358.30. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of sessions. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to create a denial-of-service condition against the application. Was ZDI-CAN-10295.
Insufficient Session Expiration
In OPC Foundation OPC UA .NET Standard codebase 1.4.357.28, servers do not create sufficiently random numbers in OPCFoundation.NetStandard.Opc.Ua before 1.4.359.31, which
CVE-2019-19135
7.4 - High
- March 16, 2020
In OPC Foundation OPC UA .NET Standard codebase 1.4.357.28, servers do not create sufficiently random numbers in OPCFoundation.NetStandard.Opc.Ua before 1.4.359.31, which allows man in the middle attackers to reuse encrypted user credentials sent over the network.
Insufficiently Protected Credentials
Failure to validate certificates in OPC Foundation UA Client Applications communicating without security
CVE-2018-12087
5.3 - Medium
- October 03, 2018
Failure to validate certificates in OPC Foundation UA Client Applications communicating without security allows attackers with control over a piece of network infrastructure to decrypt passwords.
Improper Certificate Validation
An XXE vulnerability in the OPC UA Java and .NET Legacy Stack can
CVE-2018-12585
8.2 - High
- September 14, 2018
An XXE vulnerability in the OPC UA Java and .NET Legacy Stack can allow remote attackers to trigger a denial of service.
XXE
Buffer overflow in OPC UA applications
CVE-2018-12086
7.5 - High
- September 14, 2018
Buffer overflow in OPC UA applications allows remote attackers to trigger a stack overflow with carefully structured requests.
Memory Corruption
An issue was discovered in OPC UA .NET Standard Stack and Sample Code before GitHub commit 2018-04-12
CVE-2018-7559
5.3 - Medium
- June 13, 2018
An issue was discovered in OPC UA .NET Standard Stack and Sample Code before GitHub commit 2018-04-12, and OPC UA .NET Legacy Stack and Sample Code before GitHub commit 2018-03-13. A vulnerability in OPC UA applications can allow a remote attacker to determine a Server's private key by sending carefully constructed bad UserIdentityTokens as part of an oracle attack.
Key Management Errors