cve-2024-3980
Vulnerability from cvelistv5
Published
2024-08-27 12:42
Modified
2024-10-29 13:35
Severity ?
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
The MicroSCADA Pro/X SYS600 product allows an authenticated user input to control or influence paths or file names that are used in filesystem operations. If exploited the vulnerability allows the attacker to access or modify system files or other files that are critical to the application.
References
cybersecurity@hitachienergy.comhttps://publisher.hitachienergy.com/preview?DocumentID=8DBD000160&LanguageCode=en&DocumentPartId=&Action=LaunchVendor Advisory
Impacted products
Hitachi EnergyMicroSCADA X SYS600
Hitachi EnergyMicroSCADA Pro SYS600
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:hitachienergy:microscada_sys600:10.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "microscada_sys600",
            "vendor": "hitachienergy",
            "versions": [
              {
                "lessThanOrEqual": "10.5",
                "status": "affected",
                "version": "10.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-3980",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-28T14:10:05.924302Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-28T14:15:23.862Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "MicroSCADA X SYS600",
          "vendor": "Hitachi Energy",
          "versions": [
            {
              "lessThanOrEqual": "10.5",
              "status": "affected",
              "version": "10.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MicroSCADA Pro SYS600",
          "vendor": "Hitachi Energy",
          "versions": [
            {
              "lessThanOrEqual": "9.4 FP2 HF5",
              "status": "affected",
              "version": "9.4 FP2 HF1",
              "versionType": "custom"
            },
            {
              "status": "affected",
              "version": "9.4 FP1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The MicroSCADA Pro/X SYS600 product allows an authenticated user input to control or influence paths or file names\nthat are used in filesystem operations. If exploited the vulnerability allows the attacker to access or modify system files or\nother files that are critical to the application."
            }
          ],
          "value": "The MicroSCADA Pro/X SYS600 product allows an authenticated user input to control or influence paths or file names\nthat are used in filesystem operations. If exploited the vulnerability allows the attacker to access or modify system files or\nother files that are critical to the application."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-38",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-38 Leveraging/Manipulating Configuration File Search Paths"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "MicroSCADA X SYS600"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "MicroSCADA Pro SYS600"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-29T13:35:30.374Z",
        "orgId": "e383dce4-0c27-4495-91c4-0db157728d17",
        "shortName": "Hitachi Energy"
      },
      "references": [
        {
          "url": "https://publisher.hitachienergy.com/preview?DocumentID=8DBD000160\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e383dce4-0c27-4495-91c4-0db157728d17",
    "assignerShortName": "Hitachi Energy",
    "cveId": "CVE-2024-3980",
    "datePublished": "2024-08-27T12:42:41.124Z",
    "dateReserved": "2024-04-19T12:45:24.793Z",
    "dateUpdated": "2024-10-29T13:35:30.374Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-3980\",\"sourceIdentifier\":\"cybersecurity@hitachienergy.com\",\"published\":\"2024-08-27T13:15:05.210\",\"lastModified\":\"2024-10-30T15:33:12.697\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The MicroSCADA Pro/X SYS600 product allows an authenticated user input to control or influence paths or file names\\nthat are used in filesystem operations. If exploited the vulnerability allows the attacker to access or modify system files or\\nother files that are critical to the application.\"},{\"lang\":\"es\",\"value\":\"El producto permite que el usuario controle o influya en las rutas o nombres de archivos que se utilizan en las operaciones del sistema de archivos, lo que permite al atacante acceder o modificar archivos del sistema u otros archivos que son cr\u00edticos para la aplicaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"cybersecurity@hitachienergy.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]},{\"source\":\"cybersecurity@hitachienergy.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.4:fixpack_1:*:*:*:*:*:*\",\"matchCriteriaId\":\"BC4CE02B-F8CF-4A9E-B9FC-AEFE59F4BCE2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.4:fixpack_2_hf1:*:*:*:*:*:*\",\"matchCriteriaId\":\"0B90ED6E-68E4-4C14-B275-F44BAC1B9C5C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.4:fixpack_2_hf2:*:*:*:*:*:*\",\"matchCriteriaId\":\"196E08EA-807C-4B7B-981A-96D106AC328B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.4:fixpack_2_hf3:*:*:*:*:*:*\",\"matchCriteriaId\":\"680FAE83-9D7A-4AD9-AFBE-480FD105ADC9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.4:fixpack_2_hf4:*:*:*:*:*:*\",\"matchCriteriaId\":\"014C8428-8F88-4C3D-B9B1-87DE26867471\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.4:fixpack_2_hf5:*:*:*:*:*:*\",\"matchCriteriaId\":\"06AFA271-0785-4526-B7DA-FA00672CC5B5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hitachienergy:microscada_x_sys600:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.0\",\"versionEndExcluding\":\"10.6\",\"matchCriteriaId\":\"AEAAFA90-ACFF-47E2-A23D-728912D74B99\"}]}]}],\"references\":[{\"url\":\"https://publisher.hitachienergy.com/preview?DocumentID=8DBD000160\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\",\"source\":\"cybersecurity@hitachienergy.com\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.