github - ghsa-vqqg-v6v5-gm7x

ghsa-vqqg-v6v5-gm7x

Vulnerability from github

Published

2024-04-12 18:33

Modified

2024-04-12 18:33

Severity ?

9.6 (Critical) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

IO-1020 Micro ELD downloads source code or an executable from an adjacent location and executes the code without sufficiently verifying the origin or integrity of the code.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-28878"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-494"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-12T16:15:36Z",
    "severity": "CRITICAL"
  },
  "details": "\nIO-1020 Micro ELD downloads source code or an executable from an \nadjacent location and executes the code without sufficiently verifying \nthe origin or integrity of the code.\n\n",
  "id": "GHSA-vqqg-v6v5-gm7x",
  "modified": "2024-04-12T18:33:26Z",
  "published": "2024-04-12T18:33:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28878"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-093-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

cve-2024-28878

Vulnerability from cvelistv5

Published

2024-04-12 15:21

Modified

2024-08-26 18:42

Severity ?

9.6 (Critical) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Summary

IOSIX IO-1020 Micro ELD Download of Code Without Integrity Check

References

▼	URL	Tags
	https://www.cisa.gov/news-events/ics-advisories/icsa-24-093-01

Impacted products

▼	Vendor	Product
	IOSiX	IO-1020 Micro ELD

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T01:03:50.598Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-093-01"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:iosix:io-1020_micro_eld:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "io-1020_micro_eld",
            "vendor": "iosix",
            "versions": [
              {
                "lessThan": "360",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-28878",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-12T20:04:29.238909Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-26T18:42:52.640Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "IO-1020 Micro ELD",
          "vendor": "IOSiX",
          "versions": [
            {
              "lessThanOrEqual": "360",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jake Jepson of Colorado State University reported these vulnerabilities to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\nIO-1020 Micro ELD downloads source code or an executable from an \nadjacent location and executes the code without sufficiently verifying \nthe origin or integrity of the code.\n\n"
            }
          ],
          "value": "\nIO-1020 Micro ELD downloads source code or an executable from an \nadjacent location and executes the code without sufficiently verifying \nthe origin or integrity of the code.\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-494",
              "description": "CWE-494 Download of Code Without Integrity Check",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-12T15:21:10.963Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-093-01"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\u003cp\u003eIOSIX recommends users update to 360.\u003c/p\u003e\n\u003cp\u003eFor further support, contact \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www2.iosix.com/support-2/\"\u003eIOSiX\u003c/a\u003e.\n\n\u003c/p\u003e"
            }
          ],
          "value": "IOSIX recommends users update to 360.\n\nFor further support, contact  IOSiX https://www2.iosix.com/support-2/ .\n\n"
        }
      ],
      "source": {
        "advisory": "ICSA-24-093-01",
        "discovery": "EXTERNAL"
      },
      "title": "IOSIX IO-1020 Micro ELD Download of Code Without Integrity Check",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2024-28878",
    "datePublished": "2024-04-12T15:21:10.963Z",
    "dateReserved": "2024-03-28T18:24:04.627Z",
    "dateUpdated": "2024-08-26T18:42:52.640Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted