GHSA-P429-8J49-F6X5

Vulnerability from github – Published: 2024-03-12 12:30 – Updated: 2024-05-14 18:30
VLAI?
Details

A vulnerability has been identified in Cerberus PRO EN Engineering Tool (All versions < IP8), Cerberus PRO EN Fire Panel FC72x (All versions < IP8), Cerberus PRO EN X200 Cloud Distribution (All versions < V4.0.5016), Cerberus PRO EN X300 Cloud Distribution (All versions < V4.2.5015), Sinteso FS20 EN Engineering Tool (All versions < MP8), Sinteso FS20 EN Fire Panel FC20 (All versions < MP8), Sinteso FS20 EN X200 Cloud Distribution (All versions < V4.0.5016), Sinteso FS20 EN X300 Cloud Distribution (All versions < V4.2.5015), Sinteso Mobile (All versions < V3.0.0). The network communication library in affected systems does not validate the length of certain X.509 certificate attributes which might result in a stack-based buffer overflow. This could allow an unauthenticated remote attacker to execute code on the underlying operating system with root privileges.

Severity ?
10.0 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-22039"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-120"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-12T11:15:48Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability has been identified in Cerberus PRO EN Engineering Tool (All versions \u003c IP8), Cerberus PRO EN Fire Panel FC72x (All versions \u003c IP8), Cerberus PRO EN X200 Cloud Distribution (All versions \u003c V4.0.5016), Cerberus PRO EN X300 Cloud Distribution (All versions \u003c V4.2.5015), Sinteso FS20 EN Engineering Tool (All versions \u003c MP8), Sinteso FS20 EN Fire Panel FC20 (All versions \u003c MP8), Sinteso FS20 EN X200 Cloud Distribution (All versions \u003c V4.0.5016), Sinteso FS20 EN X300 Cloud Distribution (All versions \u003c V4.2.5015), Sinteso Mobile (All versions \u003c V3.0.0). The network communication library in affected systems does not validate the length of certain X.509 certificate attributes which might result in a stack-based buffer overflow.\nThis could allow an unauthenticated remote attacker to execute code on the underlying operating system with root privileges.",
  "id": "GHSA-p429-8j49-f6x5",
  "modified": "2024-05-14T18:30:34Z",
  "published": "2024-03-12T12:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22039"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-225840.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-953710.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.