github - ghsa-7v42-6p37-f6j2

ghsa-7v42-6p37-f6j2

Vulnerability from github

Published

2024-10-23 00:31

Modified

2024-10-23 00:31

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Details

Kieback & Peter's DDC4000 series is vulnerable to a path traversal vulnerability, which may allow an unauthenticated attacker to read files on the system.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-41717"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-22T22:15:04Z",
    "severity": "CRITICAL"
  },
  "details": "Kieback \u0026 Peter\u0027s DDC4000 series\u00a0is vulnerable to a path traversal vulnerability, which may allow an unauthenticated attacker to read files on the system.",
  "id": "GHSA-7v42-6p37-f6j2",
  "modified": "2024-10-23T00:31:44Z",
  "published": "2024-10-23T00:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41717"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-291-05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

cve-2024-41717

Vulnerability from cvelistv5

Published

2024-10-22 21:13

Modified

2024-10-23 14:43

Severity ?

9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Kieback&Peter DDC4000 Series Path Traversal

References

▼	URL	Tags
	https://www.cisa.gov/news-events/ics-advisories/icsa-24-291-05

Impacted products

▼	Vendor	Product
	Kieback & Peter	DDC4040e
	Kieback&Peter	DDC4020e
	Kieback&Peter	DDC4400e
	Kieback&Peter	DDC4200e
	Kieback&Peter	DDC4002e
	Kieback&Peter	DDC4400
	Kieback&Peter	DDC4200-L
	Kieback&Peter	DDC4200
	Kieback&Peter	DDC4100
	Kieback&Peter	DDC4002

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:kieback\\\u0026peter:ddc4400_firmware:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "ddc4400_firmware",
            "vendor": "kieback\\\u0026peter",
            "versions": [
              {
                "lessThanOrEqual": "1.12.14",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:kieback\\\u0026peter:ddc4002e_firmware:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "ddc4002e_firmware",
            "vendor": "kieback\\\u0026peter",
            "versions": [
              {
                "lessThanOrEqual": "1.17.6",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:kieback\\\u0026peter:ddc4200e_firmware:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "ddc4200e_firmware",
            "vendor": "kieback\\\u0026peter",
            "versions": [
              {
                "lessThanOrEqual": "1.17.6",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:kieback\\\u0026peter:ddc4002_firmware:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "ddc4002_firmware",
            "vendor": "kieback\\\u0026peter",
            "versions": [
              {
                "lessThanOrEqual": "1.12.14",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:kieback\\\u0026peter:ddc4100_firmware:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "ddc4100_firmware",
            "vendor": "kieback\\\u0026peter",
            "versions": [
              {
                "lessThanOrEqual": "1.7.4",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:kieback\\\u0026peter:ddc4200_firmware:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "ddc4200_firmware",
            "vendor": "kieback\\\u0026peter",
            "versions": [
              {
                "lessThanOrEqual": "1.12.14",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:kieback\\\u0026peter:ddc4200-l_firmware:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "ddc4200-l_firmware",
            "vendor": "kieback\\\u0026peter",
            "versions": [
              {
                "lessThanOrEqual": "1.12.14",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:kieback\\\u0026peter:ddc4400e_firmware:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "ddc4400e_firmware",
            "vendor": "kieback\\\u0026peter",
            "versions": [
              {
                "lessThanOrEqual": "1.17.6",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:kieback\\\u0026peter:ddc4020e_firmware:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "ddc4020e_firmware",
            "vendor": "kieback\\\u0026peter",
            "versions": [
              {
                "lessThanOrEqual": "1.17.6",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:kieback\\\u0026peter:ddc4040e_firmware:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "ddc4040e_firmware",
            "vendor": "kieback\\\u0026peter",
            "versions": [
              {
                "lessThanOrEqual": "1.17.6",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-41717",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-23T14:42:00.715222Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-23T14:43:52.114Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "DDC4040e",
          "vendor": "Kieback \u0026 Peter",
          "versions": [
            {
              "lessThanOrEqual": "1.17.6",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "DDC4020e",
          "vendor": "Kieback\u0026Peter",
          "versions": [
            {
              "lessThanOrEqual": "1.17.6",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "DDC4400e",
          "vendor": "Kieback\u0026Peter",
          "versions": [
            {
              "lessThanOrEqual": "1.17.6",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "DDC4200e",
          "vendor": "Kieback\u0026Peter",
          "versions": [
            {
              "lessThanOrEqual": "1.17.6",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "DDC4002e",
          "vendor": "Kieback\u0026Peter",
          "versions": [
            {
              "lessThanOrEqual": "1.17.6",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "DDC4400",
          "vendor": "Kieback\u0026Peter",
          "versions": [
            {
              "lessThanOrEqual": "1.12.14",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "DDC4200-L",
          "vendor": "Kieback\u0026Peter",
          "versions": [
            {
              "lessThanOrEqual": "1.12.14",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "DDC4200",
          "vendor": "Kieback\u0026Peter",
          "versions": [
            {
              "lessThanOrEqual": "1.12.14",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "DDC4100",
          "vendor": "Kieback\u0026Peter",
          "versions": [
            {
              "lessThanOrEqual": "1.7.4",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "DDC4002",
          "vendor": "Kieback\u0026Peter",
          "versions": [
            {
              "lessThanOrEqual": "1.12.14",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Raphael Ruf of terreActive AG reported these vulnerabilities to CISA."
        }
      ],
      "datePublic": "2024-10-17T16:36:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eKieback \u0026amp; Peter\u0027s DDC4000 series\u0026nbsp;is vulnerable to a path traversal vulnerability, which may allow an unauthenticated attacker to read files on the system.\u003c/span\u003e\n\n\u003c/span\u003e"
            }
          ],
          "value": "Kieback \u0026 Peter\u0027s DDC4000 series\u00a0is vulnerable to a path traversal vulnerability, which may allow an unauthenticated attacker to read files on the system."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-22T21:13:37.183Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-291-05"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eKieback\u0026amp;Peter DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 \ncontrollers are considered End-of-Life (EOL) and are no longer \nsupported. Users operating these controllers should ensure they are \noperated in a strictly separate OT environment and consider updating to a\n supported controller.\u003c/p\u003e\n\u003cp\u003eKieback\u0026amp;Peter recommends users update to DDC4002e, DDC4200e, DDC4400e, DDC4020e and DDC4040e controllers.\u003c/p\u003e\n\u003cp\u003eKieback\u0026amp;Peter recommends all affected users contact their local \nKieback\u0026amp;Peter office to update the firmware of the supported DDC \nsystems to v1.21.0 or later.\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "Kieback\u0026Peter DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 \ncontrollers are considered End-of-Life (EOL) and are no longer \nsupported. Users operating these controllers should ensure they are \noperated in a strictly separate OT environment and consider updating to a\n supported controller.\n\n\nKieback\u0026Peter recommends users update to DDC4002e, DDC4200e, DDC4400e, DDC4020e and DDC4040e controllers.\n\n\nKieback\u0026Peter recommends all affected users contact their local \nKieback\u0026Peter office to update the firmware of the supported DDC \nsystems to v1.21.0 or later."
        }
      ],
      "source": {
        "advisory": "ICSA-24-291-05",
        "discovery": "EXTERNAL"
      },
      "title": "Kieback\u0026Peter DDC4000 Series Path Traversal",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2024-41717",
    "datePublished": "2024-10-22T21:13:37.183Z",
    "dateReserved": "2024-08-21T18:03:31.239Z",
    "dateUpdated": "2024-10-23T14:43:52.114Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted