cvelistv5 - CVE-2024-26276

CVE-2024-26276 (GCVE-0-2024-26276)

Vulnerability from cvelistv5 – Published: 2024-04-09 08:34 – Updated: 2024-08-13 07:54

Summary

A vulnerability has been identified in JT2Go (All versions < V2312.0004), Parasolid V35.1 (All versions < V35.1.254), Parasolid V36.0 (All versions < V36.0.207), Parasolid V36.1 (All versions < V36.1.147), Teamcenter Visualization V14.2 (All versions < V14.2.0.12), Teamcenter Visualization V14.3 (All versions < V14.3.0.9), Teamcenter Visualization V2312 (All versions < V2312.0004). The affected application contains a stack exhaustion vulnerability while parsing a specially crafted X_T file. This could allow an attacker to cause denial of service condition.

Severity ?

3.3 (Low)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

4.8 (Medium)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

siemens

References

URL

Tags

	https://cert-portal.siemens.com/productcert/html/…
	https://cert-portal.siemens.com/productcert/html/…

Impacted products

Vendor

Product

Version

Siemens

JT2Go

Affected: 0 , < V2312.0004 (custom)

Siemens	Parasolid V35.1	Affected: 0 , < V35.1.254 (custom)
Siemens	Parasolid V36.0	Affected: 0 , < V36.0.207 (custom)
Siemens	Parasolid V36.1	Affected: 0 , < V36.1.147 (custom)
Siemens	Teamcenter Visualization V14.2	Affected: 0 , < V14.2.0.12 (custom)
Siemens	Teamcenter Visualization V14.3	Affected: 0 , < V14.3.0.9 (custom)
Siemens	Teamcenter Visualization V2312	Affected: 0 , < V2312.0004 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:siemens:parasolid:35.1:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "parasolid",
            "vendor": "siemens",
            "versions": [
              {
                "lessThan": "35.1.254",
                "status": "affected",
                "version": "35.1",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:siemens:parasolid:36.1:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "parasolid",
            "vendor": "siemens",
            "versions": [
              {
                "lessThan": "36.0.207",
                "status": "affected",
                "version": "36.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:siemens:parasolid:36.1:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "parasolid",
            "vendor": "siemens",
            "versions": [
              {
                "lessThan": "36.1.147",
                "status": "affected",
                "version": "36.1",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26276",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-14T13:40:25.505191Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-06T14:53:58.636Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:07:18.871Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-222019.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-771940.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "JT2Go",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V2312.0004",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Parasolid V35.1",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V35.1.254",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Parasolid V36.0",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V36.0.207",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Parasolid V36.1",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V36.1.147",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Teamcenter Visualization V14.2",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V14.2.0.12",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Teamcenter Visualization V14.3",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V14.3.0.9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Teamcenter Visualization V2312",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V2312.0004",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been identified in JT2Go (All versions \u003c V2312.0004), Parasolid V35.1 (All versions \u003c V35.1.254), Parasolid V36.0 (All versions \u003c V36.0.207), Parasolid V36.1 (All versions \u003c V36.1.147), Teamcenter Visualization V14.2 (All versions \u003c V14.2.0.12), Teamcenter Visualization V14.3 (All versions \u003c V14.3.0.9), Teamcenter Visualization V2312 (All versions \u003c V2312.0004). The affected application contains a stack exhaustion vulnerability while parsing a specially crafted X_T file. This could allow an attacker to cause denial of service condition."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV4_0": {
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-13T07:54:02.376Z",
        "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
        "shortName": "siemens"
      },
      "references": [
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-222019.html"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-771940.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
    "assignerShortName": "siemens",
    "cveId": "CVE-2024-26276",
    "datePublished": "2024-04-09T08:34:37.744Z",
    "dateReserved": "2024-02-15T10:54:03.168Z",
    "dateUpdated": "2024-08-13T07:54:02.376Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A vulnerability has been identified in JT2Go (All versions \u003c V2312.0004), Parasolid V35.1 (All versions \u003c V35.1.254), Parasolid V36.0 (All versions \u003c V36.0.207), Parasolid V36.1 (All versions \u003c V36.1.147), Teamcenter Visualization V14.2 (All versions \u003c V14.2.0.12), Teamcenter Visualization V14.3 (All versions \u003c V14.3.0.9), Teamcenter Visualization V2312 (All versions \u003c V2312.0004). The affected application contains a stack exhaustion vulnerability while parsing a specially crafted X_T file. This could allow an attacker to cause denial of service condition.\"}, {\"lang\": \"es\", \"value\": \"Se ha identificado una vulnerabilidad en JT2Go (Todas las versiones \u0026lt; V2312.0004), Parasolid V35.1 (Todas las versiones \u0026lt; V35.1.254), Parasolid V36.0 (Todas las versiones \u0026lt; V36.0.207), Parasolid V36.1 (Todas las versiones \u0026lt; V36.1.147), Teamcenter Visualization V14.2 (todas las versiones), Teamcenter Visualization V14.3 (todas las versiones \u0026lt; V14.3.0.9), Teamcenter Visualization V2312 (todas las versiones \u0026lt; V2312.0004). La aplicaci\\u00f3n afectada contiene una vulnerabilidad de agotamiento de pila mientras analiza un archivo X_T especialmente manipulado. Esto podr\\u00eda permitir que un atacante provoque una condici\\u00f3n de denegaci\\u00f3n de servicio.\"}]",
      "id": "CVE-2024-26276",
      "lastModified": "2024-11-21T09:02:17.223",
      "metrics": "{\"cvssMetricV40\": [{\"source\": \"productcert@siemens.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"4.0\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\", \"baseScore\": 4.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"PASSIVE\", \"vulnerableSystemConfidentiality\": \"NONE\", \"vulnerableSystemIntegrity\": \"NONE\", \"vulnerableSystemAvailability\": \"LOW\", \"subsequentSystemConfidentiality\": \"NONE\", \"subsequentSystemIntegrity\": \"NONE\", \"subsequentSystemAvailability\": \"NONE\", \"exploitMaturity\": \"NOT_DEFINED\", \"confidentialityRequirements\": \"NOT_DEFINED\", \"integrityRequirements\": \"NOT_DEFINED\", \"availabilityRequirements\": \"NOT_DEFINED\", \"modifiedAttackVector\": \"NOT_DEFINED\", \"modifiedAttackComplexity\": \"NOT_DEFINED\", \"modifiedAttackRequirements\": \"NOT_DEFINED\", \"modifiedPrivilegesRequired\": \"NOT_DEFINED\", \"modifiedUserInteraction\": \"NOT_DEFINED\", \"modifiedVulnerableSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedVulnerableSystemIntegrity\": \"NOT_DEFINED\", \"modifiedVulnerableSystemAvailability\": \"NOT_DEFINED\", \"modifiedSubsequentSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedSubsequentSystemIntegrity\": \"NOT_DEFINED\", \"modifiedSubsequentSystemAvailability\": \"NOT_DEFINED\", \"safety\": \"NOT_DEFINED\", \"automatable\": \"NOT_DEFINED\", \"recovery\": \"NOT_DEFINED\", \"valueDensity\": \"NOT_DEFINED\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\"}}], \"cvssMetricV31\": [{\"source\": \"productcert@siemens.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L\", \"baseScore\": 3.3, \"baseSeverity\": \"LOW\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 1.4}]}",
      "published": "2024-04-09T09:15:24.457",
      "references": "[{\"url\": \"https://cert-portal.siemens.com/productcert/html/ssa-222019.html\", \"source\": \"productcert@siemens.com\"}, {\"url\": \"https://cert-portal.siemens.com/productcert/html/ssa-771940.html\", \"source\": \"productcert@siemens.com\"}, {\"url\": \"https://cert-portal.siemens.com/productcert/html/ssa-222019.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://cert-portal.siemens.com/productcert/html/ssa-771940.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "productcert@siemens.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"productcert@siemens.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-770\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-26276\",\"sourceIdentifier\":\"productcert@siemens.com\",\"published\":\"2024-04-09T09:15:24.457\",\"lastModified\":\"2025-10-03T20:06:47.343\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability has been identified in JT2Go (All versions \u003c V2312.0004), Parasolid V35.1 (All versions \u003c V35.1.254), Parasolid V36.0 (All versions \u003c V36.0.207), Parasolid V36.1 (All versions \u003c V36.1.147), Teamcenter Visualization V14.2 (All versions \u003c V14.2.0.12), Teamcenter Visualization V14.3 (All versions \u003c V14.3.0.9), Teamcenter Visualization V2312 (All versions \u003c V2312.0004). The affected application contains a stack exhaustion vulnerability while parsing a specially crafted X_T file. This could allow an attacker to cause denial of service condition.\"},{\"lang\":\"es\",\"value\":\"Se ha identificado una vulnerabilidad en JT2Go (Todas las versiones \u0026lt; V2312.0004), Parasolid V35.1 (Todas las versiones \u0026lt; V35.1.254), Parasolid V36.0 (Todas las versiones \u0026lt; V36.0.207), Parasolid V36.1 (Todas las versiones \u0026lt; V36.1.147), Teamcenter Visualization V14.2 (todas las versiones), Teamcenter Visualization V14.3 (todas las versiones \u0026lt; V14.3.0.9), Teamcenter Visualization V2312 (todas las versiones \u0026lt; V2312.0004). La aplicaci\u00f3n afectada contiene una vulnerabilidad de agotamiento de pila mientras analiza un archivo X_T especialmente manipulado. Esto podr\u00eda permitir que un atacante provoque una condici\u00f3n de denegaci\u00f3n de servicio.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"productcert@siemens.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"productcert@siemens.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L\",\"baseScore\":3.3,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.8,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"productcert@siemens.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:jt2go:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2312.0004\",\"matchCriteriaId\":\"D866F4F7-D2B7-499F-9A9F-CB5D9A40B52A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:parasolid:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"35.1\",\"versionEndExcluding\":\"35.1.254\",\"matchCriteriaId\":\"2C5B8DD7-F87C-4EAD-AF0E-6125A5017988\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:parasolid:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"36.0\",\"versionEndExcluding\":\"36.0.207\",\"matchCriteriaId\":\"53F83A10-6FA3-477E-BE18-34AA39FB996D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:parasolid:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"36.1\",\"versionEndExcluding\":\"36.1.147\",\"matchCriteriaId\":\"B1E2DE94-EC81-4DDF-A545-31B1AAB3FC03\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:teamcenter_visualization:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"14.2\",\"versionEndExcluding\":\"14.2.0.12\",\"matchCriteriaId\":\"0973D930-AC79-48B1-A4A6-25F7734B5822\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:teamcenter_visualization:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"14.3\",\"versionEndExcluding\":\"14.3.0.9\",\"matchCriteriaId\":\"47FA9CED-27B4-4AF6-83B4-054E1FABC888\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:teamcenter_visualization:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2312.0\",\"versionEndExcluding\":\"2312.0004\",\"matchCriteriaId\":\"064B1ABE-247D-410F-A4E7-C428753DF69F\"}]}]}],\"references\":[{\"url\":\"https://cert-portal.siemens.com/productcert/html/ssa-222019.html\",\"source\":\"productcert@siemens.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://cert-portal.siemens.com/productcert/html/ssa-771940.html\",\"source\":\"productcert@siemens.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://cert-portal.siemens.com/productcert/html/ssa-222019.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://cert-portal.siemens.com/productcert/html/ssa-771940.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://cert-portal.siemens.com/productcert/html/ssa-222019.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://cert-portal.siemens.com/productcert/html/ssa-771940.html\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T00:07:18.871Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-26276\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-05-14T13:40:25.505191Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:siemens:parasolid:35.1:*:*:*:*:*:*:*\"], \"vendor\": \"siemens\", \"product\": \"parasolid\", \"versions\": [{\"status\": \"affected\", \"version\": \"35.1\", \"lessThan\": \"35.1.254\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:siemens:parasolid:36.1:*:*:*:*:*:*:*\"], \"vendor\": \"siemens\", \"product\": \"parasolid\", \"versions\": [{\"status\": \"affected\", \"version\": \"36.0\", \"lessThan\": \"36.0.207\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:siemens:parasolid:36.1:*:*:*:*:*:*:*\"], \"vendor\": \"siemens\", \"product\": \"parasolid\", \"versions\": [{\"status\": \"affected\", \"version\": \"36.1\", \"lessThan\": \"36.1.147\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-14T13:41:13.305Z\"}}], \"cna\": {\"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 3.3, \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L\"}}, {\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 4.8, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N\"}}], \"affected\": [{\"vendor\": \"Siemens\", \"product\": \"JT2Go\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"V2312.0004\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"Siemens\", \"product\": \"Parasolid V35.1\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"V35.1.254\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"Siemens\", \"product\": \"Parasolid V36.0\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"V36.0.207\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"Siemens\", \"product\": \"Parasolid V36.1\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"V36.1.147\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"Siemens\", \"product\": \"Teamcenter Visualization V14.2\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"V14.2.0.12\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"Siemens\", \"product\": \"Teamcenter Visualization V14.3\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"V14.3.0.9\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"Siemens\", \"product\": \"Teamcenter Visualization V2312\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"V2312.0004\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"references\": [{\"url\": \"https://cert-portal.siemens.com/productcert/html/ssa-222019.html\"}, {\"url\": \"https://cert-portal.siemens.com/productcert/html/ssa-771940.html\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability has been identified in JT2Go (All versions \u003c V2312.0004), Parasolid V35.1 (All versions \u003c V35.1.254), Parasolid V36.0 (All versions \u003c V36.0.207), Parasolid V36.1 (All versions \u003c V36.1.147), Teamcenter Visualization V14.2 (All versions \u003c V14.2.0.12), Teamcenter Visualization V14.3 (All versions \u003c V14.3.0.9), Teamcenter Visualization V2312 (All versions \u003c V2312.0004). The affected application contains a stack exhaustion vulnerability while parsing a specially crafted X_T file. This could allow an attacker to cause denial of service condition.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"cec7a2ec-15b4-4faf-bd53-b40f371f3a77\", \"shortName\": \"siemens\", \"dateUpdated\": \"2024-08-13T07:54:02.376Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-26276\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-13T07:54:02.376Z\", \"dateReserved\": \"2024-02-15T10:54:03.168Z\", \"assignerOrgId\": \"cec7a2ec-15b4-4faf-bd53-b40f371f3a77\", \"datePublished\": \"2024-04-09T08:34:37.744Z\", \"assignerShortName\": \"siemens\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

SSA-222019

Vulnerability from csaf_siemens - Published: 2024-04-09 00:00 - Updated: 2024-04-09 00:00

Summary

SSA-222019: X_T File Parsing Vulnerabilities in Parasolid

Notes

Summary

Parasolid is affected by out of bounds read, stack exhaustion and null pointer dereference vulnerabilities that could be triggered when the application reads files in X_T format. If a user is tricked to open a malicious file with the affected applications, an attacker could leverage the vulnerability to perform remote code execution in the context of the current process. Siemens has released new versions for the affected products and recommends to update to the latest versions.

General Recommendations

As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity

Additional Resources

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories

Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited. (TLPv2: TLP:CLEAR)",
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Parasolid is affected by out of bounds read, stack exhaustion and null pointer dereference vulnerabilities that could be triggered when the application reads files in X_T format. If a user is tricked to open a malicious file with the affected applications, an attacker could leverage the vulnerability to perform remote code execution in the context of the current process.\n\nSiemens has released new versions for the affected products and recommends to update to the latest versions.",
        "title": "Summary"
      },
      {
        "category": "general",
        "text": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: \nhttps://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity",
        "title": "General Recommendations"
      },
      {
        "category": "general",
        "text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "Siemens Security Advisories are subject to the terms and conditions contained in Siemens\u0027 underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter \"License Terms\"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens\u0027 Global Website (https://www.siemens.com/terms_of_use, hereinafter \"Terms of Use\"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "productcert@siemens.com",
      "name": "Siemens ProductCERT",
      "namespace": "https://www.siemens.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "SSA-222019: X_T File Parsing Vulnerabilities in Parasolid - HTML Version",
        "url": "https://cert-portal.siemens.com/productcert/html/ssa-222019.html"
      },
      {
        "category": "self",
        "summary": "SSA-222019: X_T File Parsing Vulnerabilities in Parasolid - CSAF Version",
        "url": "https://cert-portal.siemens.com/productcert/csaf/ssa-222019.json"
      },
      {
        "category": "self",
        "summary": "SSA-222019: X_T File Parsing Vulnerabilities in Parasolid - PDF Version",
        "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-222019.pdf"
      },
      {
        "category": "self",
        "summary": "SSA-222019: X_T File Parsing Vulnerabilities in Parasolid - TXT Version",
        "url": "https://cert-portal.siemens.com/productcert/txt/ssa-222019.txt"
      }
    ],
    "title": "SSA-222019: X_T File Parsing Vulnerabilities in Parasolid",
    "tracking": {
      "current_release_date": "2024-04-09T00:00:00Z",
      "generator": {
        "engine": {
          "name": "Siemens ProductCERT CSAF Generator",
          "version": "1"
        }
      },
      "id": "SSA-222019",
      "initial_release_date": "2024-04-09T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-04-09T00:00:00Z",
          "legacy_version": "1.0",
          "number": "1",
          "summary": "Publication Date"
        }
      ],
      "status": "interim",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cV35.1.254",
                "product": {
                  "name": "Parasolid V35.1",
                  "product_id": "1"
                }
              }
            ],
            "category": "product_name",
            "name": "Parasolid V35.1"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cV36.0.207",
                "product": {
                  "name": "Parasolid V36.0",
                  "product_id": "2"
                }
              }
            ],
            "category": "product_name",
            "name": "Parasolid V36.0"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cV36.1.147",
                "product": {
                  "name": "Parasolid V36.1",
                  "product_id": "3"
                }
              }
            ],
            "category": "product_name",
            "name": "Parasolid V36.1"
          }
        ],
        "category": "vendor",
        "name": "Siemens"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-26275",
      "cwe": {
        "id": "CWE-125",
        "name": "Out-of-bounds Read"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted X_T files. This could allow an attacker to execute code in the context of the current process.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "1",
          "2",
          "3"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Do not open untrusted XT files in Parasolid",
          "product_ids": [
            "1",
            "2",
            "3"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V35.1.254 or later version",
          "product_ids": [
            "1"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V36.0.207 or later version",
          "product_ids": [
            "2"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V36.1.147 or later version",
          "product_ids": [
            "3"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "1",
            "2",
            "3"
          ]
        }
      ],
      "title": "CVE-2024-26275"
    },
    {
      "cve": "CVE-2024-26276",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected application contains a stack exhaustion vulnerability while parsing a specially crafted X_T file. This could allow an attacker to cause denial of service condition.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "1",
          "2",
          "3"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Do not open untrusted XT files in Parasolid",
          "product_ids": [
            "1",
            "2",
            "3"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V35.1.254 or later version",
          "product_ids": [
            "1"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V36.0.207 or later version",
          "product_ids": [
            "2"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V36.1.147 or later version",
          "product_ids": [
            "3"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "1",
            "2",
            "3"
          ]
        }
      ],
      "title": "CVE-2024-26276"
    },
    {
      "cve": "CVE-2024-26277",
      "cwe": {
        "id": "CWE-476",
        "name": "NULL Pointer Dereference"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected applications contain a null pointer dereference vulnerability while parsing specially crafted X_T files. An attacker could leverage this vulnerability to crash the application causing denial of service condition.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "1",
          "2",
          "3"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Do not open untrusted XT files in Parasolid",
          "product_ids": [
            "1",
            "2",
            "3"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V35.1.254 or later version",
          "product_ids": [
            "1"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V36.0.207 or later version",
          "product_ids": [
            "2"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V36.1.147 or later version",
          "product_ids": [
            "3"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "1",
            "2",
            "3"
          ]
        }
      ],
      "title": "CVE-2024-26277"
    }
  ]
}

SSA-771940

Vulnerability from csaf_siemens - Published: 2024-06-11 00:00 - Updated: 2024-08-13 00:00

Summary

SSA-771940: X_T File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go

Notes

Summary

Teamcenter Visualization and JT2Go are affected by out of bounds read, stack exhaustion and null pointer dereference vulnerabilities that could be triggered when the application reads files in X_T format. If a user is tricked to open a malicious file with the affected applications, an attacker could leverage the vulnerability to perform remote code execution in the context of the current process. Siemens has released new versions for the affected products and recommends to update to the latest versions.

General Recommendations

Additional Resources

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited. (TLPv2: TLP:CLEAR)",
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Teamcenter Visualization and JT2Go are affected by out of bounds read, stack exhaustion and null pointer dereference vulnerabilities that could be triggered when the application reads files in X_T format. If a user is tricked to open a malicious file with the affected applications, an attacker could leverage the vulnerability to perform remote code execution in the context of the current process.\n\nSiemens has released new versions for the affected products and recommends to update to the latest versions.",
        "title": "Summary"
      },
      {
        "category": "general",
        "text": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: \nhttps://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity",
        "title": "General Recommendations"
      },
      {
        "category": "general",
        "text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "Siemens Security Advisories are subject to the terms and conditions contained in Siemens\u0027 underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter \"License Terms\"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens\u0027 Global Website (https://www.siemens.com/terms_of_use, hereinafter \"Terms of Use\"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "productcert@siemens.com",
      "name": "Siemens ProductCERT",
      "namespace": "https://www.siemens.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "SSA-771940: X_T File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go - HTML Version",
        "url": "https://cert-portal.siemens.com/productcert/html/ssa-771940.html"
      },
      {
        "category": "self",
        "summary": "SSA-771940: X_T File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go - CSAF Version",
        "url": "https://cert-portal.siemens.com/productcert/csaf/ssa-771940.json"
      }
    ],
    "title": "SSA-771940: X_T File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go",
    "tracking": {
      "current_release_date": "2024-08-13T00:00:00Z",
      "generator": {
        "engine": {
          "name": "Siemens ProductCERT CSAF Generator",
          "version": "1"
        }
      },
      "id": "SSA-771940",
      "initial_release_date": "2024-06-11T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-11T00:00:00Z",
          "legacy_version": "1.0",
          "number": "1",
          "summary": "Publication Date"
        },
        {
          "date": "2024-08-13T00:00:00Z",
          "legacy_version": "1.1",
          "number": "2",
          "summary": "Added fix version for 14.2.0.12"
        }
      ],
      "status": "interim",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cV2312.0004",
                "product": {
                  "name": "JT2Go",
                  "product_id": "1"
                }
              }
            ],
            "category": "product_name",
            "name": "JT2Go"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cV14.2.0.12",
                "product": {
                  "name": "Teamcenter Visualization V14.2",
                  "product_id": "2"
                }
              }
            ],
            "category": "product_name",
            "name": "Teamcenter Visualization V14.2"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cV14.3.0.9",
                "product": {
                  "name": "Teamcenter Visualization V14.3",
                  "product_id": "3"
                }
              }
            ],
            "category": "product_name",
            "name": "Teamcenter Visualization V14.3"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cV2312.0004",
                "product": {
                  "name": "Teamcenter Visualization V2312",
                  "product_id": "4"
                }
              }
            ],
            "category": "product_name",
            "name": "Teamcenter Visualization V2312"
          }
        ],
        "category": "vendor",
        "name": "Siemens"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-26275",
      "cwe": {
        "id": "CWE-125",
        "name": "Out-of-bounds Read"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted X_T files. This could allow an attacker to execute code in the context of the current process.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "1",
          "2",
          "3",
          "4"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Do not open untrusted XT files in Teamcenter Visualization and JT2Go",
          "product_ids": [
            "1",
            "2",
            "3",
            "4"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.2.0.12 or later version",
          "product_ids": [
            "2"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.3.0.9 or later version",
          "product_ids": [
            "3"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V2312.0004 or later version",
          "product_ids": [
            "1"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V2312.0004 or later version",
          "product_ids": [
            "4"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "1",
            "2",
            "3",
            "4"
          ]
        }
      ],
      "title": "CVE-2024-26275"
    },
    {
      "cve": "CVE-2024-26276",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected application contains a stack exhaustion vulnerability while parsing a specially crafted X_T file. This could allow an attacker to cause denial of service condition.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "1",
          "2",
          "3",
          "4"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Do not open untrusted XT files in Teamcenter Visualization and JT2Go",
          "product_ids": [
            "1",
            "2",
            "3",
            "4"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.2.0.12 or later version",
          "product_ids": [
            "2"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.3.0.9 or later version",
          "product_ids": [
            "3"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V2312.0004 or later version",
          "product_ids": [
            "1"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V2312.0004 or later version",
          "product_ids": [
            "4"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "1",
            "2",
            "3",
            "4"
          ]
        }
      ],
      "title": "CVE-2024-26276"
    },
    {
      "cve": "CVE-2024-26277",
      "cwe": {
        "id": "CWE-476",
        "name": "NULL Pointer Dereference"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected applications contain a null pointer dereference vulnerability while parsing specially crafted X_T files. An attacker could leverage this vulnerability to crash the application causing denial of service condition.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "1",
          "2",
          "3",
          "4"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Do not open untrusted XT files in Teamcenter Visualization and JT2Go",
          "product_ids": [
            "1",
            "2",
            "3",
            "4"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.2.0.12 or later version",
          "product_ids": [
            "2"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.3.0.9 or later version",
          "product_ids": [
            "3"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V2312.0004 or later version",
          "product_ids": [
            "1"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V2312.0004 or later version",
          "product_ids": [
            "4"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "1",
            "2",
            "3",
            "4"
          ]
        }
      ],
      "title": "CVE-2024-26277"
    }
  ]
}

GHSA-J254-M7H5-8JRJ

Vulnerability from github – Published: 2024-04-09 09:31 – Updated: 2024-11-18 16:26

Details

A vulnerability has been identified in Parasolid V35.1 (All versions < V35.1.254), Parasolid V36.0 (All versions < V36.0.207), Parasolid V36.1 (All versions < V36.1.147). The affected application contains a stack exhaustion vulnerability while parsing a specially crafted X_T file. This could allow an attacker to cause denial of service condition.

Severity ?

3.3 (Low)


                  
                    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

4.8 (Medium)


                  
                    CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-26276"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-09T09:15:24Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in Parasolid V35.1 (All versions \u003c V35.1.254), Parasolid V36.0 (All versions \u003c V36.0.207), Parasolid V36.1 (All versions \u003c V36.1.147). The affected application contains a stack exhaustion vulnerability while parsing a specially crafted X_T file. This could allow an attacker to cause denial of service condition.",
  "id": "GHSA-j254-m7h5-8jrj",
  "modified": "2024-11-18T16:26:39Z",
  "published": "2024-04-09T09:31:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26276"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-222019.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-771940.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

FKIE_CVE-2024-26276

Vulnerability from fkie_nvd - Published: 2024-04-09 09:15 - Updated: 2025-10-03 20:06

Severity ?

3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
productcert@siemens.com	https://cert-portal.siemens.com/productcert/html/ssa-222019.html	Vendor Advisory
productcert@siemens.com	https://cert-portal.siemens.com/productcert/html/ssa-771940.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://cert-portal.siemens.com/productcert/html/ssa-222019.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://cert-portal.siemens.com/productcert/html/ssa-771940.html	Vendor Advisory

Impacted products

Vendor	Product	Version
siemens	jt2go	*
siemens	parasolid	*
siemens	parasolid	*
siemens	parasolid	*
siemens	teamcenter_visualization	*
siemens	teamcenter_visualization	*
siemens	teamcenter_visualization	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:siemens:jt2go:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D866F4F7-D2B7-499F-9A9F-CB5D9A40B52A",
              "versionEndExcluding": "2312.0004",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:siemens:parasolid:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2C5B8DD7-F87C-4EAD-AF0E-6125A5017988",
              "versionEndExcluding": "35.1.254",
              "versionStartIncluding": "35.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:siemens:parasolid:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "53F83A10-6FA3-477E-BE18-34AA39FB996D",
              "versionEndExcluding": "36.0.207",
              "versionStartIncluding": "36.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:siemens:parasolid:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B1E2DE94-EC81-4DDF-A545-31B1AAB3FC03",
              "versionEndExcluding": "36.1.147",
              "versionStartIncluding": "36.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:siemens:teamcenter_visualization:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0973D930-AC79-48B1-A4A6-25F7734B5822",
              "versionEndExcluding": "14.2.0.12",
              "versionStartIncluding": "14.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:siemens:teamcenter_visualization:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "47FA9CED-27B4-4AF6-83B4-054E1FABC888",
              "versionEndExcluding": "14.3.0.9",
              "versionStartIncluding": "14.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:siemens:teamcenter_visualization:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "064B1ABE-247D-410F-A4E7-C428753DF69F",
              "versionEndExcluding": "2312.0004",
              "versionStartIncluding": "2312.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability has been identified in JT2Go (All versions \u003c V2312.0004), Parasolid V35.1 (All versions \u003c V35.1.254), Parasolid V36.0 (All versions \u003c V36.0.207), Parasolid V36.1 (All versions \u003c V36.1.147), Teamcenter Visualization V14.2 (All versions \u003c V14.2.0.12), Teamcenter Visualization V14.3 (All versions \u003c V14.3.0.9), Teamcenter Visualization V2312 (All versions \u003c V2312.0004). The affected application contains a stack exhaustion vulnerability while parsing a specially crafted X_T file. This could allow an attacker to cause denial of service condition."
    },
    {
      "lang": "es",
      "value": "Se ha identificado una vulnerabilidad en JT2Go (Todas las versiones \u0026lt; V2312.0004), Parasolid V35.1 (Todas las versiones \u0026lt; V35.1.254), Parasolid V36.0 (Todas las versiones \u0026lt; V36.0.207), Parasolid V36.1 (Todas las versiones \u0026lt; V36.1.147), Teamcenter Visualization V14.2 (todas las versiones), Teamcenter Visualization V14.3 (todas las versiones \u0026lt; V14.3.0.9), Teamcenter Visualization V2312 (todas las versiones \u0026lt; V2312.0004). La aplicaci\u00f3n afectada contiene una vulnerabilidad de agotamiento de pila mientras analiza un archivo X_T especialmente manipulado. Esto podr\u00eda permitir que un atacante provoque una condici\u00f3n de denegaci\u00f3n de servicio."
    }
  ],
  "id": "CVE-2024-26276",
  "lastModified": "2025-10-03T20:06:47.343",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "LOW",
          "baseScore": 3.3,
          "baseSeverity": "LOW",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 1.4,
        "source": "productcert@siemens.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "LOW",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "productcert@siemens.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-04-09T09:15:24.457",
  "references": [
    {
      "source": "productcert@siemens.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-222019.html"
    },
    {
      "source": "productcert@siemens.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-771940.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-222019.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-771940.html"
    }
  ],
  "sourceIdentifier": "productcert@siemens.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "productcert@siemens.com",
      "type": "Secondary"
    }
  ]
}

GSD-2024-26276

Vulnerability from gsd - Updated: 2024-02-16 06:02

Details

Aliases

CVE-2024-26276

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-26276"
      ],
      "details": "A vulnerability has been identified in Parasolid V35.1 (All versions \u003c V35.1.254), Parasolid V36.0 (All versions \u003c V36.0.207), Parasolid V36.1 (All versions \u003c V36.1.147). The affected application contains a stack exhaustion vulnerability while parsing a specially crafted X_T file. This could allow an attacker to cause denial of service condition.",
      "id": "GSD-2024-26276",
      "modified": "2024-02-16T06:02:27.245581Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "productcert@siemens.com",
        "ID": "CVE-2024-26276",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Parasolid V35.1",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "0",
                          "version_value": "V35.1.254"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Parasolid V36.0",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "0",
                          "version_value": "V36.0.207"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Parasolid V36.1",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "0",
                          "version_value": "V36.1.147"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Siemens"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A vulnerability has been identified in Parasolid V35.1 (All versions \u003c V35.1.254), Parasolid V36.0 (All versions \u003c V36.0.207), Parasolid V36.1 (All versions \u003c V36.1.147). The affected application contains a stack exhaustion vulnerability while parsing a specially crafted X_T file. This could allow an attacker to cause denial of service condition."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-770",
                "lang": "eng",
                "value": "CWE-770: Allocation of Resources Without Limits or Throttling"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://cert-portal.siemens.com/productcert/html/ssa-222019.html",
            "refsource": "MISC",
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-222019.html"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "A vulnerability has been identified in Parasolid V35.1 (All versions \u003c V35.1.254), Parasolid V36.0 (All versions \u003c V36.0.207), Parasolid V36.1 (All versions \u003c V36.1.147). The affected application contains a stack exhaustion vulnerability while parsing a specially crafted X_T file. This could allow an attacker to cause denial of service condition."
          }
        ],
        "id": "CVE-2024-26276",
        "lastModified": "2024-04-09T12:48:04.090",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "LOW",
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "exploitabilityScore": 1.8,
              "impactScore": 1.4,
              "source": "productcert@siemens.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-04-09T09:15:24.457",
        "references": [
          {
            "source": "productcert@siemens.com",
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-222019.html"
          }
        ],
        "sourceIdentifier": "productcert@siemens.com",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-770"
              }
            ],
            "source": "productcert@siemens.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

CNVD-2024-17300

Vulnerability from cnvd - Published: 2024-04-10

Title

Siemens Parasolid堆栈耗尽漏洞

Description

Siemens Parasolid是一种三维几何建模工具，支持各种技术，包括实体建模、直接编辑和自由曲面/图纸建模。 Siemens Parasolid存在堆栈耗尽漏洞，攻击可利用该漏洞造成拒绝服务。

Severity

低

Patch Name

Siemens Parasolid堆栈耗尽漏洞的补丁

Patch Description

Siemens Parasolid是一种三维几何建模工具，支持各种技术，包括实体建模、直接编辑和自由曲面/图纸建模。 Siemens Parasolid存在堆栈耗尽漏洞，攻击可利用该漏洞造成拒绝服务。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

用户可参考如下供应商提供的安全公告获得补丁信息： https://cert-portal.siemens.com/productcert/html/ssa-222019.html

Reference

https://cert-portal.siemens.com/productcert/html/ssa-222019.html

Impacted products

Name
['Siemens Parasolid V35.1 < V35.1.254', 'Siemens Parasolid V36.0 < V36.0.207', 'Siemens Parasolid V36.1 < V36.1.147']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-26276"
    }
  },
  "description": "Siemens Parasolid\u662f\u4e00\u79cd\u4e09\u7ef4\u51e0\u4f55\u5efa\u6a21\u5de5\u5177\uff0c\u652f\u6301\u5404\u79cd\u6280\u672f\uff0c\u5305\u62ec\u5b9e\u4f53\u5efa\u6a21\u3001\u76f4\u63a5\u7f16\u8f91\u548c\u81ea\u7531\u66f2\u9762/\u56fe\u7eb8\u5efa\u6a21\u3002\n\nSiemens Parasolid\u5b58\u5728\u5806\u6808\u8017\u5c3d\u6f0f\u6d1e\uff0c\u653b\u51fb\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://cert-portal.siemens.com/productcert/html/ssa-222019.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-17300",
  "openTime": "2024-04-10",
  "patchDescription": "Siemens Parasolid\u662f\u4e00\u79cd\u4e09\u7ef4\u51e0\u4f55\u5efa\u6a21\u5de5\u5177\uff0c\u652f\u6301\u5404\u79cd\u6280\u672f\uff0c\u5305\u62ec\u5b9e\u4f53\u5efa\u6a21\u3001\u76f4\u63a5\u7f16\u8f91\u548c\u81ea\u7531\u66f2\u9762/\u56fe\u7eb8\u5efa\u6a21\u3002\r\n\r\nSiemens Parasolid\u5b58\u5728\u5806\u6808\u8017\u5c3d\u6f0f\u6d1e\uff0c\u653b\u51fb\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Siemens Parasolid\u5806\u6808\u8017\u5c3d\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Siemens Parasolid V35.1 \u003c V35.1.254",
      "Siemens Parasolid V36.0 \u003c V36.0.207",
      "Siemens Parasolid V36.1 \u003c V36.1.147"
    ]
  },
  "referenceLink": "https://cert-portal.siemens.com/productcert/html/ssa-222019.html",
  "serverity": "\u4f4e",
  "submitTime": "2024-04-10",
  "title": "Siemens Parasolid\u5806\u6808\u8017\u5c3d\u6f0f\u6d1e"
}

ICSA-24-102-06

Vulnerability from csaf_cisa - Published: 2024-04-09 00:00 - Updated: 2024-04-09 00:00

Summary

Siemens Parasolid

Notes

Summary

General Recommendations

Additional Resources

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Advisory Conversion Disclaimer

This CISA CSAF advisory was converted from Siemens ProductCERT's CSAF advisory.

Critical infrastructure sectors

Multiple

Countries/areas deployed

Worldwide

Company headquarters location

Germany

Recommended Practices

CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability.

Recommended Practices

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.

Recommended Practices

Locate control system networks and remote devices behind firewalls and isolate them from business networks.

Recommended Practices

When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.

Recommended Practices

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Recommended Practices

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Recommended Practices

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "organization": "Siemens ProductCERT",
        "summary": "reporting these vulnerabilities to CISA."
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Parasolid is affected by out of bounds read, stack exhaustion and null pointer dereference vulnerabilities that could be triggered when the application reads files in X_T format. If a user is tricked to open a malicious file with the affected applications, an attacker could leverage the vulnerability to perform remote code execution in the context of the current process.\n\nSiemens has released new versions for the affected products and recommends to update to the latest versions.",
        "title": "Summary"
      },
      {
        "category": "general",
        "text": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: \nhttps://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity",
        "title": "General Recommendations"
      },
      {
        "category": "general",
        "text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "Siemens Security Advisories are subject to the terms and conditions contained in Siemens\u0027 underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter \"License Terms\"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens\u0027 Global Website (https://www.siemens.com/terms_of_use, hereinafter \"Terms of Use\"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.",
        "title": "Terms of Use"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "other",
        "text": "This CISA CSAF advisory was converted from Siemens ProductCERT\u0027s CSAF advisory.",
        "title": "Advisory Conversion Disclaimer"
      },
      {
        "category": "other",
        "text": "Multiple",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "Germany",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Locate control system networks and remote devices behind firewalls and isolate them from business networks.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "central@cisa.dhs.gov",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "SSA-222019: X_T File Parsing Vulnerabilities in Parasolid - CSAF Version",
        "url": "https://cert-portal.siemens.com/productcert/csaf/ssa-222019.json"
      },
      {
        "category": "self",
        "summary": "SSA-222019: X_T File Parsing Vulnerabilities in Parasolid - HTML Version",
        "url": "https://cert-portal.siemens.com/productcert/html/ssa-222019.html"
      },
      {
        "category": "self",
        "summary": "SSA-222019: X_T File Parsing Vulnerabilities in Parasolid - PDF Version",
        "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-222019.pdf"
      },
      {
        "category": "self",
        "summary": "SSA-222019: X_T File Parsing Vulnerabilities in Parasolid - TXT Version",
        "url": "https://cert-portal.siemens.com/productcert/txt/ssa-222019.txt"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-24-102-06 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2024/icsa-24-102-06.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-24-102-06 - Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-102-06"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/topics/industrial-control-systems"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
      }
    ],
    "title": "Siemens Parasolid",
    "tracking": {
      "current_release_date": "2024-04-09T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1"
        }
      },
      "id": "ICSA-24-102-06",
      "initial_release_date": "2024-04-09T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2024-04-09T00:00:00.000000Z",
          "legacy_version": "1.0",
          "number": "1",
          "summary": "Publication Date"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cV35.1.254",
                "product": {
                  "name": "Parasolid V35.1",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "Parasolid V35.1"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cV36.0.207",
                "product": {
                  "name": "Parasolid V36.0",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "Parasolid V36.0"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cV36.1.147",
                "product": {
                  "name": "Parasolid V36.1",
                  "product_id": "CSAFPID-0003"
                }
              }
            ],
            "category": "product_name",
            "name": "Parasolid V36.1"
          }
        ],
        "category": "vendor",
        "name": "Siemens"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-26275",
      "cwe": {
        "id": "CWE-125",
        "name": "Out-of-bounds Read"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted X_T files. This could allow an attacker to execute code in the context of the current process.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Do not open untrusted XT files in Parasolid",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V35.1.254 or later version",
          "product_ids": [
            "CSAFPID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V36.0.207 or later version",
          "product_ids": [
            "CSAFPID-0002"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V36.1.147 or later version",
          "product_ids": [
            "CSAFPID-0003"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        }
      ],
      "title": "CVE-2024-26275"
    },
    {
      "cve": "CVE-2024-26276",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected application contains a stack exhaustion vulnerability while parsing a specially crafted X_T file. This could allow an attacker to cause denial of service condition.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Do not open untrusted XT files in Parasolid",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V35.1.254 or later version",
          "product_ids": [
            "CSAFPID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V36.0.207 or later version",
          "product_ids": [
            "CSAFPID-0002"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V36.1.147 or later version",
          "product_ids": [
            "CSAFPID-0003"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        }
      ],
      "title": "CVE-2024-26276"
    },
    {
      "cve": "CVE-2024-26277",
      "cwe": {
        "id": "CWE-476",
        "name": "NULL Pointer Dereference"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected applications contain a null pointer dereference vulnerability while parsing specially crafted X_T files. An attacker could leverage this vulnerability to crash the application causing denial of service condition.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Do not open untrusted XT files in Parasolid",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V35.1.254 or later version",
          "product_ids": [
            "CSAFPID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V36.0.207 or later version",
          "product_ids": [
            "CSAFPID-0002"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V36.1.147 or later version",
          "product_ids": [
            "CSAFPID-0003"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        }
      ],
      "title": "CVE-2024-26277"
    }
  ]
}

ICSA-24-165-08

Vulnerability from csaf_cisa - Published: 2024-06-11 00:00 - Updated: 2024-08-13 00:00

Summary

Siemens Teamcenter Visualization and JT2Go

Notes

Summary

General Recommendations

Additional Resources

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories

Legal Notice

Advisory Conversion Disclaimer

This CISA CSAF advisory was converted from Siemens ProductCERT's CSAF advisory.

Critical infrastructure sectors

Multiple

Countries/areas deployed

Worldwide

Company headquarters location

Germany

Recommended Practices

CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability.

Recommended Practices

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.

Recommended Practices

Locate control system networks and remote devices behind firewalls and isolate them from business networks.

Recommended Practices

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Recommended Practices

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "organization": "Siemens ProductCERT",
        "summary": "reporting these vulnerabilities to CISA."
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Teamcenter Visualization and JT2Go are affected by out of bounds read, stack exhaustion and null pointer dereference vulnerabilities that could be triggered when the application reads files in X_T format. If a user is tricked to open a malicious file with the affected applications, an attacker could leverage the vulnerability to perform remote code execution in the context of the current process.\n\nSiemens has released new versions for the affected products and recommends to update to the latest versions.",
        "title": "Summary"
      },
      {
        "category": "general",
        "text": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: \nhttps://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity",
        "title": "General Recommendations"
      },
      {
        "category": "general",
        "text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "Siemens Security Advisories are subject to the terms and conditions contained in Siemens\u0027 underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter \"License Terms\"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens\u0027 Global Website (https://www.siemens.com/terms_of_use, hereinafter \"Terms of Use\"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.",
        "title": "Terms of Use"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "other",
        "text": "This CISA CSAF advisory was converted from Siemens ProductCERT\u0027s CSAF advisory.",
        "title": "Advisory Conversion Disclaimer"
      },
      {
        "category": "other",
        "text": "Multiple",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "Germany",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Locate control system networks and remote devices behind firewalls and isolate them from business networks.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "central@cisa.dhs.gov",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "SSA-771940: X_T File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go - CSAF Version",
        "url": "https://cert-portal.siemens.com/productcert/csaf/ssa-771940.json"
      },
      {
        "category": "self",
        "summary": "SSA-771940: X_T File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go - HTML Version",
        "url": "https://cert-portal.siemens.com/productcert/html/ssa-771940.html"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-24-165-08 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2024/icsa-24-165-08.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-24-165-08 - Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-165-08"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/topics/industrial-control-systems"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
      }
    ],
    "title": "Siemens Teamcenter Visualization and JT2Go",
    "tracking": {
      "current_release_date": "2024-08-13T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-24-165-08",
      "initial_release_date": "2024-06-11T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2024-06-11T00:00:00.000000Z",
          "legacy_version": "1.0",
          "number": "1",
          "summary": "Publication Date"
        },
        {
          "date": "2024-08-13T00:00:00.000000Z",
          "legacy_version": "1.1",
          "number": "2",
          "summary": "Added fix version for 14.2.0.12"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cV2312.0004",
                "product": {
                  "name": "JT2Go",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "JT2Go"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cV14.2.0.12",
                "product": {
                  "name": "Teamcenter Visualization V14.2",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "Teamcenter Visualization V14.2"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cV14.3.0.9",
                "product": {
                  "name": "Teamcenter Visualization V14.3",
                  "product_id": "CSAFPID-0003"
                }
              }
            ],
            "category": "product_name",
            "name": "Teamcenter Visualization V14.3"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cV2312.0004",
                "product": {
                  "name": "Teamcenter Visualization V2312",
                  "product_id": "CSAFPID-0004"
                }
              }
            ],
            "category": "product_name",
            "name": "Teamcenter Visualization V2312"
          }
        ],
        "category": "vendor",
        "name": "Siemens"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-26275",
      "cwe": {
        "id": "CWE-125",
        "name": "Out-of-bounds Read"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted X_T files. This could allow an attacker to execute code in the context of the current process.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Do not open untrusted XT files in Teamcenter Visualization and JT2Go",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.2.0.12 or later version",
          "product_ids": [
            "CSAFPID-0002"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.3.0.9 or later version",
          "product_ids": [
            "CSAFPID-0003"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V2312.0004 or later version",
          "product_ids": [
            "CSAFPID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V2312.0004 or later version",
          "product_ids": [
            "CSAFPID-0004"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ]
        }
      ],
      "title": "CVE-2024-26275"
    },
    {
      "cve": "CVE-2024-26276",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected application contains a stack exhaustion vulnerability while parsing a specially crafted X_T file. This could allow an attacker to cause denial of service condition.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Do not open untrusted XT files in Teamcenter Visualization and JT2Go",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.2.0.12 or later version",
          "product_ids": [
            "CSAFPID-0002"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.3.0.9 or later version",
          "product_ids": [
            "CSAFPID-0003"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V2312.0004 or later version",
          "product_ids": [
            "CSAFPID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V2312.0004 or later version",
          "product_ids": [
            "CSAFPID-0004"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ]
        }
      ],
      "title": "CVE-2024-26276"
    },
    {
      "cve": "CVE-2024-26277",
      "cwe": {
        "id": "CWE-476",
        "name": "NULL Pointer Dereference"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The affected applications contain a null pointer dereference vulnerability while parsing specially crafted X_T files. An attacker could leverage this vulnerability to crash the application causing denial of service condition.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003",
          "CSAFPID-0004"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Do not open untrusted XT files in Teamcenter Visualization and JT2Go",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.2.0.12 or later version",
          "product_ids": [
            "CSAFPID-0002"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V14.3.0.9 or later version",
          "product_ids": [
            "CSAFPID-0003"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V2312.0004 or later version",
          "product_ids": [
            "CSAFPID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update to V2312.0004 or later version",
          "product_ids": [
            "CSAFPID-0004"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003",
            "CSAFPID-0004"
          ]
        }
      ],
      "title": "CVE-2024-26277"
    }
  ]
}

CERTFR-2024-AVI-0478

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits Siemens. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Siemens	N/A	SINEC Traffic Analyzer versions antérieures à 1.2
Siemens	N/A	SIPLUS ET 200SP CP 1543SP-1 ISEC versions antérieures à 2.3
Siemens	N/A	SITOP UPS1600 EX 20 A Ethernet PROFINET versions antérieures à 2.5.4
Siemens	N/A	Teamcenter Visualization 14.3 versions antérieures à 14.3.0.9
Siemens	N/A	SITOP UPS1600 40 A Ethernet/ PROFINET versions antérieures à 2.5.4
Siemens	N/A	PCCX26 Ax 1703 PE, Contr, Communication Element versions antérieures à 06.05
Siemens	N/A	Tecnomatix Plant Simulation 2404 versions antérieures à 2404.0001
Siemens	N/A	TIM 1531 IRC versions antérieures à 2.4.8
Siemens	N/A	CPCX26 Central Processing/Communication versions antérieures à 06.02
Siemens	N/A	SITOP UPS1600 20 A Ethernet/ PROFINET versions antérieures à 2.5.4
Siemens	N/A	Teamcenter Visualization 2312 versions antérieures à 2312.0004
Siemens	N/A	JT2Go versions antérieures à 2312.0004
Siemens	N/A	les applications Mendix utilisant Mendix 10 versions antérieures à 10.11.0
Siemens	N/A	Tecnomatix Plant Simulation 2302 versions antérieures à 2302.0012
Siemens	N/A	SIPLUS TIM 1531 IRC versions antérieures à 2.4.8
Siemens	N/A	ETA5 Ethernet Int. 1x100TX IEC61850 Ed.2 versions antérieures à 03.27
Siemens	N/A	SITOP UPS1600 10 A Ethernet/ PROFINET versions antérieures à 2.5.4
Siemens	N/A	PowerSys versions antérieures à 3.11
Siemens	N/A	ETA4 Ethernet Interface IEC60870-5-104 versions antérieures à 10.46
Siemens	N/A	TIA Administrator versions antérieures à 3 SP2
Siemens	N/A	les applications Mendix utilisant Mendix 9 versions antérieures à 9.24.22
Siemens	N/A	ST7 ScadaConnect versions antérieures à 1.1
Siemens	N/A	SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL versions antérieures à 2.3
Siemens	N/A	Teamcenter Visualization 14.2 toutes versions, aucun correctif n'est disponible
Siemens	N/A	les produits SCALANCE, se référer au bulletin de sécurité de l'éditeur (cf. section Documentation)
Siemens	N/A	SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL versions antérieures à 2.3
Siemens	N/A	les applications Mendix utilisant Mendix 10.6 versions antérieures à 10.6.9

References

Title

Publication Time

Tags

Bulletin de sécurité Siemens ssa-900277	2024-06-11	vendor-advisory
Bulletin de sécurité Siemens ssa-620338	2024-06-11	vendor-advisory
Bulletin de sécurité Siemens ssa-540640	2024-06-11	vendor-advisory
Bulletin de sécurité Siemens ssa-238730	2024-06-11	vendor-advisory
Bulletin de sécurité Siemens ssa-319319	2024-06-11	vendor-advisory
Bulletin de sécurité Siemens ssa-879734	2024-06-11	vendor-advisory
Bulletin de sécurité Siemens ssa-625862	2024-06-11	vendor-advisory
Bulletin de sécurité Siemens ssa-481506	2024-06-11	vendor-advisory
Bulletin de sécurité Siemens ssa-024584	2024-06-11	vendor-advisory
Bulletin de sécurité Siemens ssa-196737	2024-06-11	vendor-advisory
Bulletin de sécurité Siemens ssa-337522	2024-06-11	vendor-advisory
Bulletin de sécurité Siemens ssa-341067	2024-06-11	vendor-advisory
Bulletin de sécurité Siemens ssa-771940	2024-06-11	vendor-advisory
Bulletin de sécurité Siemens ssa-690517	2024-06-11	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "SINEC Traffic Analyzer versions ant\u00e9rieures \u00e0 1.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SIPLUS ET 200SP CP 1543SP-1 ISEC versions ant\u00e9rieures \u00e0 2.3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SITOP UPS1600 EX 20 A Ethernet PROFINET versions ant\u00e9rieures \u00e0 2.5.4",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "Teamcenter Visualization 14.3 versions ant\u00e9rieures \u00e0 14.3.0.9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SITOP UPS1600 40 A Ethernet/ PROFINET versions ant\u00e9rieures \u00e0 2.5.4",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "PCCX26 Ax 1703 PE, Contr, Communication Element versions ant\u00e9rieures \u00e0 06.05",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "Tecnomatix Plant Simulation 2404 versions ant\u00e9rieures \u00e0 2404.0001",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "TIM 1531 IRC versions ant\u00e9rieures \u00e0 2.4.8",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "CPCX26 Central Processing/Communication versions ant\u00e9rieures \u00e0 06.02",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SITOP UPS1600 20 A Ethernet/ PROFINET versions ant\u00e9rieures \u00e0 2.5.4",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "Teamcenter Visualization 2312 versions ant\u00e9rieures \u00e0 2312.0004",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "JT2Go versions ant\u00e9rieures \u00e0 2312.0004",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "les applications Mendix utilisant Mendix 10 versions ant\u00e9rieures \u00e0 10.11.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "Tecnomatix Plant Simulation 2302 versions ant\u00e9rieures \u00e0 2302.0012",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SIPLUS TIM 1531 IRC versions ant\u00e9rieures \u00e0 2.4.8",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "ETA5 Ethernet Int. 1x100TX IEC61850 Ed.2 versions ant\u00e9rieures \u00e0 03.27",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SITOP UPS1600 10 A Ethernet/ PROFINET versions ant\u00e9rieures \u00e0 2.5.4",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "PowerSys versions ant\u00e9rieures \u00e0 3.11",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "ETA4 Ethernet Interface IEC60870-5-104 versions ant\u00e9rieures \u00e0 10.46",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "TIA Administrator versions ant\u00e9rieures \u00e0 3 SP2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "les applications Mendix utilisant Mendix 9 versions ant\u00e9rieures \u00e0 9.24.22",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "ST7 ScadaConnect versions ant\u00e9rieures \u00e0 1.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL versions ant\u00e9rieures \u00e0 2.3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "Teamcenter Visualization 14.2 toutes versions, aucun correctif n\u0027est disponible",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "les produits SCALANCE, se r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur (cf. section Documentation)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL versions ant\u00e9rieures \u00e0 2.3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "les applications Mendix utilisant Mendix 10.6 versions ant\u00e9rieures \u00e0 10.6.9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2023-24895",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24895"
    },
    {
      "name": "CVE-2023-49691",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-49691"
    },
    {
      "name": "CVE-2024-35207",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35207"
    },
    {
      "name": "CVE-2023-33135",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-33135"
    },
    {
      "name": "CVE-2024-33500",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-33500"
    },
    {
      "name": "CVE-2023-35390",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-35390"
    },
    {
      "name": "CVE-2023-44317",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44317"
    },
    {
      "name": "CVE-2024-35210",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35210"
    },
    {
      "name": "CVE-2022-4304",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-4304"
    },
    {
      "name": "CVE-2023-38380",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-38380"
    },
    {
      "name": "CVE-2023-36794",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36794"
    },
    {
      "name": "CVE-2024-36266",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-36266"
    },
    {
      "name": "CVE-2023-24897",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24897"
    },
    {
      "name": "CVE-2022-44792",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-44792"
    },
    {
      "name": "CVE-2022-42329",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-42329"
    },
    {
      "name": "CVE-2024-35206",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35206"
    },
    {
      "name": "CVE-2023-0215",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0215"
    },
    {
      "name": "CVE-2023-35788",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-35788"
    },
    {
      "name": "CVE-2023-0286",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0286"
    },
    {
      "name": "CVE-2023-24936",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24936"
    },
    {
      "name": "CVE-2023-36792",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36792"
    },
    {
      "name": "CVE-2022-3643",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-3643"
    },
    {
      "name": "CVE-2022-39189",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-39189"
    },
    {
      "name": "CVE-2022-46144",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-46144"
    },
    {
      "name": "CVE-2022-3435",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-3435"
    },
    {
      "name": "CVE-2023-44487",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
    },
    {
      "name": "CVE-2024-26277",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-26277"
    },
    {
      "name": "CVE-2022-40225",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-40225"
    },
    {
      "name": "CVE-2023-0466",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0466"
    },
    {
      "name": "CVE-2023-35828",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-35828"
    },
    {
      "name": "CVE-2023-36049",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36049"
    },
    {
      "name": "CVE-2023-0465",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0465"
    },
    {
      "name": "CVE-2022-44793",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-44793"
    },
    {
      "name": "CVE-2024-35211",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35211"
    },
    {
      "name": "CVE-2023-33127",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-33127"
    },
    {
      "name": "CVE-2021-47178",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-47178"
    },
    {
      "name": "CVE-2022-45919",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-45919"
    },
    {
      "name": "CVE-2023-33170",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-33170"
    },
    {
      "name": "CVE-2023-33128",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-33128"
    },
    {
      "name": "CVE-2023-41910",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-41910"
    },
    {
      "name": "CVE-2023-28484",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-28484"
    },
    {
      "name": "CVE-2023-28319",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-28319"
    },
    {
      "name": "CVE-2022-45886",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-45886"
    },
    {
      "name": "CVE-2022-1015",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1015"
    },
    {
      "name": "CVE-2023-27321",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-27321"
    },
    {
      "name": "CVE-2024-31484",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-31484"
    },
    {
      "name": "CVE-2023-0464",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0464"
    },
    {
      "name": "CVE-2022-41742",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41742"
    },
    {
      "name": "CVE-2022-3545",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-3545"
    },
    {
      "name": "CVE-2023-26552",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-26552"
    },
    {
      "name": "CVE-2023-29469",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-29469"
    },
    {
      "name": "CVE-2023-0160",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0160"
    },
    {
      "name": "CVE-2024-35212",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35212"
    },
    {
      "name": "CVE-2022-40303",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-40303"
    },
    {
      "name": "CVE-2023-21255",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21255"
    },
    {
      "name": "CVE-2024-26275",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-26275"
    },
    {
      "name": "CVE-2023-38180",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-38180"
    },
    {
      "name": "CVE-2023-35824",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-35824"
    },
    {
      "name": "CVE-2024-35209",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35209"
    },
    {
      "name": "CVE-2022-42328",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-42328"
    },
    {
      "name": "CVE-2023-35823",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-35823"
    },
    {
      "name": "CVE-2023-38178",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-38178"
    },
    {
      "name": "CVE-2022-45887",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-45887"
    },
    {
      "name": "CVE-2024-0775",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-0775"
    },
    {
      "name": "CVE-2023-44319",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44319"
    },
    {
      "name": "CVE-2023-32032",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-32032"
    },
    {
      "name": "CVE-2022-4450",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-4450"
    },
    {
      "name": "CVE-2023-26554",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-26554"
    },
    {
      "name": "CVE-2023-2269",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-2269"
    },
    {
      "name": "CVE-2024-35208",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35208"
    },
    {
      "name": "CVE-2024-26276",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-26276"
    },
    {
      "name": "CVE-2023-1017",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-1017"
    },
    {
      "name": "CVE-2023-38171",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-38171"
    },
    {
      "name": "CVE-2023-28260",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-28260"
    },
    {
      "name": "CVE-2023-50763",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-50763"
    },
    {
      "name": "CVE-2022-3623",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-3623"
    },
    {
      "name": "CVE-2022-2097",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-2097"
    },
    {
      "name": "CVE-2023-29331",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-29331"
    },
    {
      "name": "CVE-2023-44374",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44374"
    },
    {
      "name": "CVE-2023-38533",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-38533"
    },
    {
      "name": "CVE-2023-35829",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-35829"
    },
    {
      "name": "CVE-2023-36038",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36038"
    },
    {
      "name": "CVE-2023-21808",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21808"
    },
    {
      "name": "CVE-2023-36799",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36799"
    },
    {
      "name": "CVE-2023-36435",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36435"
    },
    {
      "name": "CVE-2023-26553",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-26553"
    },
    {
      "name": "CVE-2022-40304",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-40304"
    },
    {
      "name": "CVE-2023-35391",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-35391"
    },
    {
      "name": "CVE-2023-44373",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44373"
    },
    {
      "name": "CVE-2023-39615",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-39615"
    },
    {
      "name": "CVE-2023-36796",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36796"
    },
    {
      "name": "CVE-2023-3446",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-3446"
    },
    {
      "name": "CVE-2024-35303",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35303"
    },
    {
      "name": "CVE-2023-5678",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-5678"
    },
    {
      "name": "CVE-2024-35292",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35292"
    },
    {
      "name": "CVE-2023-36558",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36558"
    },
    {
      "name": "CVE-2023-2124",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-2124"
    },
    {
      "name": "CVE-2023-33126",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-33126"
    },
    {
      "name": "CVE-2023-52474",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-52474"
    },
    {
      "name": "CVE-2023-44318",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44318"
    },
    {
      "name": "CVE-2023-36793",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36793"
    }
  ],
  "links": [],
  "reference": "CERTFR-2024-AVI-0478",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-06-11T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    },
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Siemens. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Siemens",
  "vendor_advisories": [
    {
      "published_at": "2024-06-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-900277",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-900277.html"
    },
    {
      "published_at": "2024-06-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-620338",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-620338.html"
    },
    {
      "published_at": "2024-06-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-540640",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-540640.html"
    },
    {
      "published_at": "2024-06-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-238730",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-238730.html"
    },
    {
      "published_at": "2024-06-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-319319",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-319319.html"
    },
    {
      "published_at": "2024-06-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-879734",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-879734.html"
    },
    {
      "published_at": "2024-06-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-625862",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-625862.html"
    },
    {
      "published_at": "2024-06-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-481506",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-481506.html"
    },
    {
      "published_at": "2024-06-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-024584",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-024584.html"
    },
    {
      "published_at": "2024-06-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-196737",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-196737.html"
    },
    {
      "published_at": "2024-06-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-337522",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-337522.html"
    },
    {
      "published_at": "2024-06-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-341067",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-341067.html"
    },
    {
      "published_at": "2024-06-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-771940",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-771940.html"
    },
    {
      "published_at": "2024-06-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-690517",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-690517.html"
    }
  ]
}

CERTFR-2024-AVI-0478

Vulnerability from certfr_avis - Published: - Updated:

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Siemens	N/A	SINEC Traffic Analyzer versions antérieures à 1.2
Siemens	N/A	SIPLUS ET 200SP CP 1543SP-1 ISEC versions antérieures à 2.3
Siemens	N/A	SITOP UPS1600 EX 20 A Ethernet PROFINET versions antérieures à 2.5.4
Siemens	N/A	Teamcenter Visualization 14.3 versions antérieures à 14.3.0.9
Siemens	N/A	SITOP UPS1600 40 A Ethernet/ PROFINET versions antérieures à 2.5.4
Siemens	N/A	PCCX26 Ax 1703 PE, Contr, Communication Element versions antérieures à 06.05
Siemens	N/A	Tecnomatix Plant Simulation 2404 versions antérieures à 2404.0001
Siemens	N/A	TIM 1531 IRC versions antérieures à 2.4.8
Siemens	N/A	CPCX26 Central Processing/Communication versions antérieures à 06.02
Siemens	N/A	SITOP UPS1600 20 A Ethernet/ PROFINET versions antérieures à 2.5.4
Siemens	N/A	Teamcenter Visualization 2312 versions antérieures à 2312.0004
Siemens	N/A	JT2Go versions antérieures à 2312.0004
Siemens	N/A	les applications Mendix utilisant Mendix 10 versions antérieures à 10.11.0
Siemens	N/A	Tecnomatix Plant Simulation 2302 versions antérieures à 2302.0012
Siemens	N/A	SIPLUS TIM 1531 IRC versions antérieures à 2.4.8
Siemens	N/A	ETA5 Ethernet Int. 1x100TX IEC61850 Ed.2 versions antérieures à 03.27
Siemens	N/A	SITOP UPS1600 10 A Ethernet/ PROFINET versions antérieures à 2.5.4
Siemens	N/A	PowerSys versions antérieures à 3.11
Siemens	N/A	ETA4 Ethernet Interface IEC60870-5-104 versions antérieures à 10.46
Siemens	N/A	TIA Administrator versions antérieures à 3 SP2
Siemens	N/A	les applications Mendix utilisant Mendix 9 versions antérieures à 9.24.22
Siemens	N/A	ST7 ScadaConnect versions antérieures à 1.1
Siemens	N/A	SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL versions antérieures à 2.3
Siemens	N/A	Teamcenter Visualization 14.2 toutes versions, aucun correctif n'est disponible
Siemens	N/A	les produits SCALANCE, se référer au bulletin de sécurité de l'éditeur (cf. section Documentation)
Siemens	N/A	SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL versions antérieures à 2.3
Siemens	N/A	les applications Mendix utilisant Mendix 10.6 versions antérieures à 10.6.9

References

Title

Publication Time

Tags

Bulletin de sécurité Siemens ssa-900277	2024-06-11	vendor-advisory
Bulletin de sécurité Siemens ssa-620338	2024-06-11	vendor-advisory
Bulletin de sécurité Siemens ssa-540640	2024-06-11	vendor-advisory
Bulletin de sécurité Siemens ssa-238730	2024-06-11	vendor-advisory
Bulletin de sécurité Siemens ssa-319319	2024-06-11	vendor-advisory
Bulletin de sécurité Siemens ssa-879734	2024-06-11	vendor-advisory
Bulletin de sécurité Siemens ssa-625862	2024-06-11	vendor-advisory
Bulletin de sécurité Siemens ssa-481506	2024-06-11	vendor-advisory
Bulletin de sécurité Siemens ssa-024584	2024-06-11	vendor-advisory
Bulletin de sécurité Siemens ssa-196737	2024-06-11	vendor-advisory
Bulletin de sécurité Siemens ssa-337522	2024-06-11	vendor-advisory
Bulletin de sécurité Siemens ssa-341067	2024-06-11	vendor-advisory
Bulletin de sécurité Siemens ssa-771940	2024-06-11	vendor-advisory
Bulletin de sécurité Siemens ssa-690517	2024-06-11	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "SINEC Traffic Analyzer versions ant\u00e9rieures \u00e0 1.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SIPLUS ET 200SP CP 1543SP-1 ISEC versions ant\u00e9rieures \u00e0 2.3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SITOP UPS1600 EX 20 A Ethernet PROFINET versions ant\u00e9rieures \u00e0 2.5.4",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "Teamcenter Visualization 14.3 versions ant\u00e9rieures \u00e0 14.3.0.9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SITOP UPS1600 40 A Ethernet/ PROFINET versions ant\u00e9rieures \u00e0 2.5.4",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "PCCX26 Ax 1703 PE, Contr, Communication Element versions ant\u00e9rieures \u00e0 06.05",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "Tecnomatix Plant Simulation 2404 versions ant\u00e9rieures \u00e0 2404.0001",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "TIM 1531 IRC versions ant\u00e9rieures \u00e0 2.4.8",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "CPCX26 Central Processing/Communication versions ant\u00e9rieures \u00e0 06.02",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SITOP UPS1600 20 A Ethernet/ PROFINET versions ant\u00e9rieures \u00e0 2.5.4",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "Teamcenter Visualization 2312 versions ant\u00e9rieures \u00e0 2312.0004",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "JT2Go versions ant\u00e9rieures \u00e0 2312.0004",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "les applications Mendix utilisant Mendix 10 versions ant\u00e9rieures \u00e0 10.11.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "Tecnomatix Plant Simulation 2302 versions ant\u00e9rieures \u00e0 2302.0012",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SIPLUS TIM 1531 IRC versions ant\u00e9rieures \u00e0 2.4.8",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "ETA5 Ethernet Int. 1x100TX IEC61850 Ed.2 versions ant\u00e9rieures \u00e0 03.27",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SITOP UPS1600 10 A Ethernet/ PROFINET versions ant\u00e9rieures \u00e0 2.5.4",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "PowerSys versions ant\u00e9rieures \u00e0 3.11",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "ETA4 Ethernet Interface IEC60870-5-104 versions ant\u00e9rieures \u00e0 10.46",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "TIA Administrator versions ant\u00e9rieures \u00e0 3 SP2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "les applications Mendix utilisant Mendix 9 versions ant\u00e9rieures \u00e0 9.24.22",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "ST7 ScadaConnect versions ant\u00e9rieures \u00e0 1.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL versions ant\u00e9rieures \u00e0 2.3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "Teamcenter Visualization 14.2 toutes versions, aucun correctif n\u0027est disponible",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "les produits SCALANCE, se r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur (cf. section Documentation)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL versions ant\u00e9rieures \u00e0 2.3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    },
    {
      "description": "les applications Mendix utilisant Mendix 10.6 versions ant\u00e9rieures \u00e0 10.6.9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Siemens",
          "scada": true
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2023-24895",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24895"
    },
    {
      "name": "CVE-2023-49691",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-49691"
    },
    {
      "name": "CVE-2024-35207",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35207"
    },
    {
      "name": "CVE-2023-33135",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-33135"
    },
    {
      "name": "CVE-2024-33500",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-33500"
    },
    {
      "name": "CVE-2023-35390",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-35390"
    },
    {
      "name": "CVE-2023-44317",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44317"
    },
    {
      "name": "CVE-2024-35210",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35210"
    },
    {
      "name": "CVE-2022-4304",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-4304"
    },
    {
      "name": "CVE-2023-38380",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-38380"
    },
    {
      "name": "CVE-2023-36794",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36794"
    },
    {
      "name": "CVE-2024-36266",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-36266"
    },
    {
      "name": "CVE-2023-24897",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24897"
    },
    {
      "name": "CVE-2022-44792",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-44792"
    },
    {
      "name": "CVE-2022-42329",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-42329"
    },
    {
      "name": "CVE-2024-35206",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35206"
    },
    {
      "name": "CVE-2023-0215",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0215"
    },
    {
      "name": "CVE-2023-35788",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-35788"
    },
    {
      "name": "CVE-2023-0286",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0286"
    },
    {
      "name": "CVE-2023-24936",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24936"
    },
    {
      "name": "CVE-2023-36792",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36792"
    },
    {
      "name": "CVE-2022-3643",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-3643"
    },
    {
      "name": "CVE-2022-39189",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-39189"
    },
    {
      "name": "CVE-2022-46144",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-46144"
    },
    {
      "name": "CVE-2022-3435",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-3435"
    },
    {
      "name": "CVE-2023-44487",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
    },
    {
      "name": "CVE-2024-26277",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-26277"
    },
    {
      "name": "CVE-2022-40225",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-40225"
    },
    {
      "name": "CVE-2023-0466",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0466"
    },
    {
      "name": "CVE-2023-35828",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-35828"
    },
    {
      "name": "CVE-2023-36049",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36049"
    },
    {
      "name": "CVE-2023-0465",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0465"
    },
    {
      "name": "CVE-2022-44793",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-44793"
    },
    {
      "name": "CVE-2024-35211",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35211"
    },
    {
      "name": "CVE-2023-33127",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-33127"
    },
    {
      "name": "CVE-2021-47178",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-47178"
    },
    {
      "name": "CVE-2022-45919",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-45919"
    },
    {
      "name": "CVE-2023-33170",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-33170"
    },
    {
      "name": "CVE-2023-33128",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-33128"
    },
    {
      "name": "CVE-2023-41910",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-41910"
    },
    {
      "name": "CVE-2023-28484",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-28484"
    },
    {
      "name": "CVE-2023-28319",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-28319"
    },
    {
      "name": "CVE-2022-45886",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-45886"
    },
    {
      "name": "CVE-2022-1015",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-1015"
    },
    {
      "name": "CVE-2023-27321",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-27321"
    },
    {
      "name": "CVE-2024-31484",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-31484"
    },
    {
      "name": "CVE-2023-0464",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0464"
    },
    {
      "name": "CVE-2022-41742",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41742"
    },
    {
      "name": "CVE-2022-3545",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-3545"
    },
    {
      "name": "CVE-2023-26552",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-26552"
    },
    {
      "name": "CVE-2023-29469",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-29469"
    },
    {
      "name": "CVE-2023-0160",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-0160"
    },
    {
      "name": "CVE-2024-35212",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35212"
    },
    {
      "name": "CVE-2022-40303",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-40303"
    },
    {
      "name": "CVE-2023-21255",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21255"
    },
    {
      "name": "CVE-2024-26275",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-26275"
    },
    {
      "name": "CVE-2023-38180",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-38180"
    },
    {
      "name": "CVE-2023-35824",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-35824"
    },
    {
      "name": "CVE-2024-35209",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35209"
    },
    {
      "name": "CVE-2022-42328",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-42328"
    },
    {
      "name": "CVE-2023-35823",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-35823"
    },
    {
      "name": "CVE-2023-38178",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-38178"
    },
    {
      "name": "CVE-2022-45887",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-45887"
    },
    {
      "name": "CVE-2024-0775",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-0775"
    },
    {
      "name": "CVE-2023-44319",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44319"
    },
    {
      "name": "CVE-2023-32032",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-32032"
    },
    {
      "name": "CVE-2022-4450",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-4450"
    },
    {
      "name": "CVE-2023-26554",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-26554"
    },
    {
      "name": "CVE-2023-2269",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-2269"
    },
    {
      "name": "CVE-2024-35208",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35208"
    },
    {
      "name": "CVE-2024-26276",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-26276"
    },
    {
      "name": "CVE-2023-1017",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-1017"
    },
    {
      "name": "CVE-2023-38171",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-38171"
    },
    {
      "name": "CVE-2023-28260",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-28260"
    },
    {
      "name": "CVE-2023-50763",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-50763"
    },
    {
      "name": "CVE-2022-3623",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-3623"
    },
    {
      "name": "CVE-2022-2097",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-2097"
    },
    {
      "name": "CVE-2023-29331",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-29331"
    },
    {
      "name": "CVE-2023-44374",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44374"
    },
    {
      "name": "CVE-2023-38533",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-38533"
    },
    {
      "name": "CVE-2023-35829",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-35829"
    },
    {
      "name": "CVE-2023-36038",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36038"
    },
    {
      "name": "CVE-2023-21808",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-21808"
    },
    {
      "name": "CVE-2023-36799",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36799"
    },
    {
      "name": "CVE-2023-36435",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36435"
    },
    {
      "name": "CVE-2023-26553",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-26553"
    },
    {
      "name": "CVE-2022-40304",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-40304"
    },
    {
      "name": "CVE-2023-35391",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-35391"
    },
    {
      "name": "CVE-2023-44373",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44373"
    },
    {
      "name": "CVE-2023-39615",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-39615"
    },
    {
      "name": "CVE-2023-36796",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36796"
    },
    {
      "name": "CVE-2023-3446",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-3446"
    },
    {
      "name": "CVE-2024-35303",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35303"
    },
    {
      "name": "CVE-2023-5678",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-5678"
    },
    {
      "name": "CVE-2024-35292",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35292"
    },
    {
      "name": "CVE-2023-36558",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36558"
    },
    {
      "name": "CVE-2023-2124",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-2124"
    },
    {
      "name": "CVE-2023-33126",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-33126"
    },
    {
      "name": "CVE-2023-52474",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-52474"
    },
    {
      "name": "CVE-2023-44318",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44318"
    },
    {
      "name": "CVE-2023-36793",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36793"
    }
  ],
  "links": [],
  "reference": "CERTFR-2024-AVI-0478",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-06-11T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    },
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Siemens. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Siemens",
  "vendor_advisories": [
    {
      "published_at": "2024-06-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-900277",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-900277.html"
    },
    {
      "published_at": "2024-06-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-620338",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-620338.html"
    },
    {
      "published_at": "2024-06-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-540640",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-540640.html"
    },
    {
      "published_at": "2024-06-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-238730",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-238730.html"
    },
    {
      "published_at": "2024-06-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-319319",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-319319.html"
    },
    {
      "published_at": "2024-06-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-879734",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-879734.html"
    },
    {
      "published_at": "2024-06-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-625862",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-625862.html"
    },
    {
      "published_at": "2024-06-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-481506",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-481506.html"
    },
    {
      "published_at": "2024-06-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-024584",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-024584.html"
    },
    {
      "published_at": "2024-06-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-196737",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-196737.html"
    },
    {
      "published_at": "2024-06-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-337522",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-337522.html"
    },
    {
      "published_at": "2024-06-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-341067",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-341067.html"
    },
    {
      "published_at": "2024-06-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-771940",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-771940.html"
    },
    {
      "published_at": "2024-06-11",
      "title": "Bulletin de s\u00e9curit\u00e9 Siemens ssa-690517",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-690517.html"
    }
  ]
}

WID-SEC-W-2024-1333

Vulnerability from csaf_certbund - Published: 2024-06-10 22:00 - Updated: 2024-06-10 22:00

Summary

Siemens JT2Go: Mehrere Schwachstellen ermöglichen Codeausführung und Denial of Service

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

JT ist ein von Siemens Ditgital Industries entwickeltes Datenformat. JT2Go ist ein kostenloser Betrachter für 3D-JT-Daten.

Angriff

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Siemens JT2Go ausnutzen, um beliebigen Programmcode auszuführen und einen Denial-of-Service-Zustand zu erzeugen.

Betroffene Betriebssysteme

- Sonstiges - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "JT ist ein von Siemens Ditgital Industries entwickeltes Datenformat. JT2Go ist ein kostenloser Betrachter f\u00fcr 3D-JT-Daten.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Siemens JT2Go ausnutzen, um beliebigen Programmcode auszuf\u00fchren und einen Denial-of-Service-Zustand zu erzeugen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-1333 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1333.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-1333 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1333"
      },
      {
        "category": "external",
        "summary": "Siemens Security Advisory by Siemens ProductCERT vom 2024-06-10",
        "url": "https://cert-portal.siemens.com/productcert/html/ssa-771940.html"
      }
    ],
    "source_lang": "en-US",
    "title": "Siemens JT2Go: Mehrere Schwachstellen erm\u00f6glichen Codeausf\u00fchrung und Denial of Service",
    "tracking": {
      "current_release_date": "2024-06-10T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T18:10:00.255+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2024-1333",
      "initial_release_date": "2024-06-10T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-06-10T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cV2312.0004",
                "product": {
                  "name": "Siemens JT2Go \u003cV2312.0004",
                  "product_id": "T035312"
                }
              }
            ],
            "category": "product_name",
            "name": "JT2Go"
          }
        ],
        "category": "vendor",
        "name": "Siemens"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-26275",
      "notes": [
        {
          "category": "description",
          "text": "In Siemens JT2Go existieren mehrere Schwachstellen. Diese Fehler werden ausgel\u00f6st, wenn die Anwendung Dateien im X_T-Format liest, und zwar aufgrund von Out-of-bounds-Read, Stack-Exhaustion und Null-Pointer-Dereferenz. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren und einen Denial-of-Service-Zustand zu erzeugen. Eine erfolgreiche Ausnutzung erfordert eine Benutzerinteraktion."
        }
      ],
      "release_date": "2024-06-10T22:00:00.000+00:00",
      "title": "CVE-2024-26275"
    },
    {
      "cve": "CVE-2024-26276",
      "notes": [
        {
          "category": "description",
          "text": "In Siemens JT2Go existieren mehrere Schwachstellen. Diese Fehler werden ausgel\u00f6st, wenn die Anwendung Dateien im X_T-Format liest, und zwar aufgrund von Out-of-bounds-Read, Stack-Exhaustion und Null-Pointer-Dereferenz. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren und einen Denial-of-Service-Zustand zu erzeugen. Eine erfolgreiche Ausnutzung erfordert eine Benutzerinteraktion."
        }
      ],
      "release_date": "2024-06-10T22:00:00.000+00:00",
      "title": "CVE-2024-26276"
    },
    {
      "cve": "CVE-2024-26277",
      "notes": [
        {
          "category": "description",
          "text": "In Siemens JT2Go existieren mehrere Schwachstellen. Diese Fehler werden ausgel\u00f6st, wenn die Anwendung Dateien im X_T-Format liest, und zwar aufgrund von Out-of-bounds-Read, Stack-Exhaustion und Null-Pointer-Dereferenz. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren und einen Denial-of-Service-Zustand zu erzeugen. Eine erfolgreiche Ausnutzung erfordert eine Benutzerinteraktion."
        }
      ],
      "release_date": "2024-06-10T22:00:00.000+00:00",
      "title": "CVE-2024-26277"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-26276 (GCVE-0-2024-26276)

Solutions

Solutions

Tags

Sightings

Nomenclature