cvelistv5 - CVE-2024-23847

CVE-2024-23847

Vulnerability from cvelistv5

Published

2024-05-31 06:11

Modified

2024-08-01 23:13

Severity ?

5.9 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Summary

Incorrect default permissions issue exists in Unifier and Unifier Cast Version.5.0 or later, and the patch "20240527" not applied. If this vulnerability is exploited, arbitrary code may be executed with LocalSystem privilege. As a result, a malicious program may be installed, data may be modified or deleted.

References

▼	URL	Tags
	vultures@jpcert.or.jp	https://jvn.jp/en/jp/JVN17680667/
	vultures@jpcert.or.jp	https://www.yrl.com/fwp_support/info/khvu7f00000000q7.html

Impacted products

▼	Vendor	Product
	Yokogawa Rental & Lease Corporation	Unifier
	Yokogawa Rental & Lease Corporation	Unifier Cast

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:yokogawa_rental_lease_corporation:unifier:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "unifier",
            "vendor": "yokogawa_rental_lease_corporation",
            "versions": [
              {
                "lessThan": "5.10",
                "status": "affected",
                "version": "5.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "LOW",
              "baseScore": 5.9,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-23847",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-06T18:05:15.775654Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-276",
                "description": "CWE-276 Incorrect Default Permissions",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-06T18:24:08.424Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T23:13:08.240Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.yrl.com/fwp_support/info/khvu7f00000000q7.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://jvn.jp/en/jp/JVN17680667/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Unifier",
          "vendor": "Yokogawa Rental \u0026 Lease Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "Version.5.0 or later"
            },
            {
              "status": "affected",
              "version": " and the patch \"20240527\" not applied"
            }
          ]
        },
        {
          "product": "Unifier Cast ",
          "vendor": "Yokogawa Rental \u0026 Lease Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "Version.5.0 or later"
            },
            {
              "status": "affected",
              "version": " and the patch \"20240527\" not applied"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Incorrect default permissions issue exists in Unifier and Unifier Cast Version.5.0 or later, and the patch \"20240527\" not applied. If this vulnerability is exploited, arbitrary code may be executed with LocalSystem privilege. As a result, a malicious program may be installed, data may be modified or deleted."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Incorrect Default Permissions",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-31T06:11:15.428Z",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "https://www.yrl.com/fwp_support/info/khvu7f00000000q7.html"
        },
        {
          "url": "https://jvn.jp/en/jp/JVN17680667/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2024-23847",
    "datePublished": "2024-05-31T06:11:15.428Z",
    "dateReserved": "2024-01-23T07:00:54.325Z",
    "dateUpdated": "2024-08-01T23:13:08.240Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-23847\",\"sourceIdentifier\":\"vultures@jpcert.or.jp\",\"published\":\"2024-05-31T06:15:10.070\",\"lastModified\":\"2024-07-03T01:48:09.197\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Incorrect default permissions issue exists in Unifier and Unifier Cast Version.5.0 or later, and the patch \\\"20240527\\\" not applied. If this vulnerability is exploited, arbitrary code may be executed with LocalSystem privilege. As a result, a malicious program may be installed, data may be modified or deleted.\"},{\"lang\":\"es\",\"value\":\"Existe un problema de permisos predeterminados incorrectos en Unifier y Unifier Cast versi\u00f3n 5.0 o posterior, y el parche \\\"20240527\\\" no se aplic\u00f3. Si se explota esta vulnerabilidad, se puede ejecutar c\u00f3digo arbitrario con privilegios LocalSystem. Como resultado, se puede instalar un programa malicioso y se pueden modificar o eliminar datos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.5,\"impactScore\":3.4}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-276\"}]}],\"references\":[{\"url\":\"https://jvn.jp/en/jp/JVN17680667/\",\"source\":\"vultures@jpcert.or.jp\"},{\"url\":\"https://www.yrl.com/fwp_support/info/khvu7f00000000q7.html\",\"source\":\"vultures@jpcert.or.jp\"}]}}"
  }
}

ghsa-w2mp-xqqj-8v36

Vulnerability from github

Published

2024-05-31 06:30

Modified

2024-07-03 18:43

Severity ?

5.9 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-23847"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-31T06:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Incorrect default permissions issue exists in Unifier and Unifier Cast Version.5.0 or later, and the patch \"20240527\" not applied. If this vulnerability is exploited, arbitrary code may be executed with LocalSystem privilege. As a result, a malicious program may be installed, data may be modified or deleted.",
  "id": "GHSA-w2mp-xqqj-8v36",
  "modified": "2024-07-03T18:43:54Z",
  "published": "2024-05-31T06:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23847"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN17680667"
    },
    {
      "type": "WEB",
      "url": "https://www.yrl.com/fwp_support/info/khvu7f00000000q7.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

gsd-2024-23847

Vulnerability from gsd

Modified

2024-01-24 06:02

Details

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Aliases

CVE-2024-23847

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-23847"
      ],
      "id": "GSD-2024-23847",
      "modified": "2024-01-24T06:02:25.113233Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2024-23847",
        "STATE": "RESERVED"
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
          }
        ]
      }
    }
  }
}

CVE-2024-23847

Vulnerability from jvndb

Published

2024-05-28 14:47

Modified

2024-05-28 14:47

Severity ?

9.8 (Critical) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Multiple vulnerabilities in Unifier and Unifier Cast

Details

Unifier and Unifier Cast provided by Yokogawa Rental & Lease Corporation contains multiple vulnerabilities listed below. <ul> <li><b>Incorrect Default Permissions configured by Cast Launcher (<a href="https://cwe.mitre.org/data/definitions/276.html">CWE-276</a>)</b> - CVE-2024-23847 </li> <li><b>Missing Authorization for coejobhook Command Execution (<a href="https://cwe.mitre.org/data/definitions/862.html">CWE-862</a>)</b> - CVE-2024-36246 </li> </ul> CVE-2024-23847 Yokogawa Rental & Lease Corporation reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Yokogawa Rental & Lease Corporation coordinated under the Information Security Early Warning Partnership. CVE-2024-36246 Taisei Ogura of MOTEX Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

References

▼	Type	URL
	JVN	https://jvn.jp/en/jp/JVN17680667/index.html
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-23847
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-36246
	No Mapping(CWE-Other)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html

Impacted products

▼	Vendor	Product
	Yokogawa Rental & Lease Corporation	Unifier
	Yokogawa Rental & Lease Corporation	Unifier Cast

Show details on JVN DB website

JSON

To clipboard

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000053.html",
  "dc:date": "2024-05-28T14:47+09:00",
  "dcterms:issued": "2024-05-28T14:47+09:00",
  "dcterms:modified": "2024-05-28T14:47+09:00",
  "description": "Unifier and Unifier Cast provided by Yokogawa Rental \u0026 Lease Corporation contains multiple vulnerabilities listed below.\r\n\r\n\u003cul\u003e\r\n\t\u003cli\u003e\u003cb\u003eIncorrect Default Permissions configured by Cast Launcher (\u003ca href=\"https://cwe.mitre.org/data/definitions/276.html\"\u003eCWE-276\u003c/a\u003e)\u003c/b\u003e - CVE-2024-23847\r\n\t\u003c/li\u003e\r\n\t\u003cli\u003e\u003cb\u003eMissing Authorization for coejobhook Command Execution (\u003ca href=\"https://cwe.mitre.org/data/definitions/862.html\"\u003eCWE-862\u003c/a\u003e)\u003c/b\u003e - CVE-2024-36246\r\n\t\u003c/li\u003e\r\n\u003c/ul\u003e\r\n\r\nCVE-2024-23847\r\nYokogawa Rental \u0026 Lease Corporation reported this vulnerability to IPA to notify users of its solution through JVN.\r\nJPCERT/CC and Yokogawa Rental \u0026 Lease Corporation coordinated under the Information Security Early Warning Partnership.\r\n\r\nCVE-2024-36246\r\nTaisei Ogura of MOTEX Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000053.html",
  "sec:cpe": [
    {
      "#text": "cpe:/a:yrl:yokogawa_renta_unifier",
      "@product": "Unifier",
      "@vendor": "Yokogawa Rental \u0026 Lease Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:yrl:yokogawa_renta_unifier_cast",
      "@product": "Unifier Cast",
      "@vendor": "Yokogawa Rental \u0026 Lease Corporation",
      "@version": "2.2"
    }
  ],
  "sec:cvss": {
    "@score": "9.8",
    "@severity": "Critical",
    "@type": "Base",
    "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "@version": "3.0"
  },
  "sec:identifier": "JVNDB-2024-000053",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN17680667/index.html",
      "@id": "JVN#17680667",
      "@source": "JVN"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-23847",
      "@id": "CVE-2024-23847",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-36246",
      "@id": "CVE-2024-36246",
      "@source": "CVE"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-Other",
      "@title": "No Mapping(CWE-Other)"
    }
  ],
  "title": "Multiple vulnerabilities in Unifier and Unifier Cast"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2024-23847

Vulnerability from cvelistv5

ghsa-w2mp-xqqj-8v36

Vulnerability from github

gsd-2024-23847

Vulnerability from gsd

CVE-2024-23847

Vulnerability from jvndb

Tags

Sightings

Nomenclature