github - ghsa-56c5-9v4w-8rjp

ghsa-56c5-9v4w-8rjp

Vulnerability from github

Published

2024-06-12 21:31

Modified

2024-06-12 21:31

Details

There is a vulnerability in AVEVA PI Web API that could allow malicious code to execute on the PI Web API environment under the privileges of an interactive user that was socially engineered to use API XML import functionality with content supplied by an attacker.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3468"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-12T21:15:50Z",
    "severity": null
  },
  "details": "There is a vulnerability in AVEVA PI Web API that could allow malicious code to execute on the PI Web API environment under the privileges of an interactive user that was socially engineered to use API XML import functionality with content supplied by an attacker.",
  "id": "GHSA-56c5-9v4w-8rjp",
  "modified": "2024-06-12T21:31:19Z",
  "published": "2024-06-12T21:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3468"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

cve-2024-3468

Vulnerability from cvelistv5

Published

2024-06-12 21:04

Modified

2024-08-01 20:12

Severity

8.4 (High) - cvssV4_0 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Summary

Deserialization of Untrusted Data in AVEVA PI Web API

References

URL	Tags
https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-02	government-resource

Impacted products

Vendor	Product
AVEVA	PI Web API

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-3468",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-13T19:42:01.196496Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-13T19:42:12.412Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T20:12:07.636Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "government-resource",
              "x_transferred"
            ],
            "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-02"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PI Web API",
          "vendor": "AVEVA",
          "versions": [
            {
              "lessThanOrEqual": "2023",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "AVEVA reported this vulnerability to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "There is a vulnerability in AVEVA PI Web API that could allow malicious code to execute on the PI Web API environment under the privileges of an interactive user that was socially engineered to use API XML import functionality with content supplied by an attacker."
            }
          ],
          "value": "There is a vulnerability in AVEVA PI Web API that could allow malicious code to execute on the PI Web API environment under the privileges of an interactive user that was socially engineered to use API XML import functionality with content supplied by an attacker."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-12T21:04:28.259Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "government-resource"
          ],
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-02"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Customers using affected products should apply security updates as soon as possible:\u003c/p\u003e\u003cp\u003eFrom \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://my.osisoft.com/\"\u003eOSI Soft Customer Portal\u003c/a\u003e, search for \"PI Web API\" and select version \"2023 SP1\" or later.\u003c/p\u003e\u003cp\u003e(Alternative) PI Web API 2021 SP3 can be fixed by upgrading PI AF Client to one of the versions specified in AVEVA Security Bulletin AVEVA-2024-004 / ICSA-24-163-03\u003c/p\u003e\u003cp\u003eAVEVA further recommends users follow general defensive measures:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSet \"DisableWrites\" configuration setting to true, if this instance of PI Web API is used only for reading data or GET requests.\u003c/li\u003e\u003cli\u003eUninstall Core Endpoints feature if this instance of PI Web API is used only for data collection from AVEVA Adapters. Keep OMF feature installed.\u003c/li\u003e\u003cli\u003eLimit AF Servers\u0027 Administrators, so that most of the PI Web API user accounts don\u0027t have the permission to change the backend AF servers.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor additional information please refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.aveva.com/en/support-and-success/cyber-security-updates/\"\u003eAVEVA-2024-003\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Customers using affected products should apply security updates as soon as possible:\n\nFrom  OSI Soft Customer Portal https://my.osisoft.com/ , search for \"PI Web API\" and select version \"2023 SP1\" or later.\n\n(Alternative) PI Web API 2021 SP3 can be fixed by upgrading PI AF Client to one of the versions specified in AVEVA Security Bulletin AVEVA-2024-004 / ICSA-24-163-03\n\nAVEVA further recommends users follow general defensive measures:\n\n  *  Set \"DisableWrites\" configuration setting to true, if this instance of PI Web API is used only for reading data or GET requests.\n  *  Uninstall Core Endpoints feature if this instance of PI Web API is used only for data collection from AVEVA Adapters. Keep OMF feature installed.\n  *  Limit AF Servers\u0027 Administrators, so that most of the PI Web API user accounts don\u0027t have the permission to change the backend AF servers.\n\n\nFor additional information please refer to  AVEVA-2024-003 https://www.aveva.com/en/support-and-success/cyber-security-updates/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Deserialization of Untrusted Data in AVEVA PI Web API",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2024-3468",
    "datePublished": "2024-06-12T21:04:28.259Z",
    "dateReserved": "2024-04-08T15:55:44.887Z",
    "dateUpdated": "2024-08-01T20:12:07.636Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.