VDE-2024-005
Vulnerability from csaf_trumpfsecokg - Published: 2024-01-23 07:00 - Updated: 2025-06-05 13:28Summary
TRUMPF: Multiple products contain vulnerable version of 7-zip
Notes
Summary: Under certain circumstances, opening a specially crafted 7-zip package can exploit an integer
underflow vulnerability in 7-zip versions up to and including 22.x
This vulnerability allows for a remote code execution, resulting in unauthorized (remote) access to,
change of data or disruption of the whole service.
Impact: The stated TRUMPF products include a vulnerable version of 7-zip which can be exploited to take overthe server they're installed on. This can impact confidentiality, integrity and availability of information onthe affected system.
Remediation: Please download the replacement tool.
For additional questions please contact your TRUMPF Service with the PR number 501709.
Ppmd7.c in 7-Zip before 23.00 allows an integer underflow and invalid read operation via a crafted 7Z archive.
7.8 (High)
Vendor Fix
Please download the replacement tool.
For additional questions please contact your TRUMPF Service with the PR number 501709.
Affected products
Known affected
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Boost <=V16.5
TRUMPF / Software / Boost
|
<=V16.5 | ||
|
FAB-Boost mixed installation <=V22.7
TRUMPF / Software / FAB-Boost mixed installation
|
<=V22.7 | ||
|
FAB (Storage) <=V22.7
TRUMPF / Software / FAB (Storage)
|
<=V22.7 | ||
|
Oseon-Boost mixed installation <=V3.5
TRUMPF / Software / Oseon-Boost mixed installation
|
<=V3.5 | ||
|
Oseon (Storage) <=V3.2
TRUMPF / Software / Oseon (Storage)
|
<=V3.2 | ||
|
TruTops Cell <=V2.31.0
TRUMPF / Software / TruTops Cell
|
<=V2.31.0 | ||
|
TruTops Classic <=V12.1
TRUMPF / Software / TruTops Classic
|
<=V12.1 | ||
|
TruTops Mark <=V6.2
TRUMPF / Software / TruTops Mark
|
<=V6.2 |
References
3 references
Acknowledgments
CERT@VDE
certvde.com
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "Under certain circumstances, opening a specially crafted 7-zip package can exploit an integer\nunderflow vulnerability in 7-zip versions up to and including 22.x\n\nThis vulnerability allows for a remote code execution, resulting in unauthorized (remote) access to,\nchange of data or disruption of the whole service.",
"title": "Summary"
},
{
"category": "description",
"text": "The stated TRUMPF products include a vulnerable version of 7-zip which can be exploited to take overthe server they\u0027re installed on. This can impact confidentiality, integrity and availability of information onthe affected system.",
"title": "Impact"
},
{
"category": "description",
"text": "Please download the replacement tool.\nFor additional questions please contact your TRUMPF Service with the PR number 501709.",
"title": "Remediation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "product.security@trumpf.com",
"name": "Trumpf SE + Co. KG",
"namespace": "https://www.trumpf.com"
},
"references": [
{
"category": "self",
"summary": "VDE-2024-005: TRUMPF: Multiple products contain vulnerable version of 7-zip - HTML",
"url": "https://certvde.com/en/advisories/VDE-2024-005/"
},
{
"category": "self",
"summary": "VDE-2024-005: TRUMPF: Multiple products contain vulnerable version of 7-zip - CSAF",
"url": "https://trumpf.csaf-tp.certvde.com/.well-known/csaf/white/2024/vde-2024-005.json"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for Trumpf SE + Co. KG",
"url": "https://certvde.com/en/advisories/vendor/trumpf/"
}
],
"title": "TRUMPF: Multiple products contain vulnerable version of 7-zip",
"tracking": {
"aliases": [
"VDE-2024-005"
],
"current_release_date": "2025-06-05T13:28:12.000Z",
"generator": {
"date": "2025-05-26T14:32:28.668Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.26"
}
},
"id": "VDE-2024-005",
"initial_release_date": "2024-01-23T07:00:00.000Z",
"revision_history": [
{
"date": "2024-01-23T07:00:00.000Z",
"number": "1",
"summary": "Initial revision."
},
{
"date": "2025-06-05T13:28:12.000Z",
"number": "2",
"summary": "Fix: quotation mark"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=V16.5",
"product": {
"name": "Boost \u003c=V16.5",
"product_id": "CSAFPID-51001"
}
}
],
"category": "product_name",
"name": "Boost"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=V22.7",
"product": {
"name": "FAB-Boost mixed installation \u003c=V22.7",
"product_id": "CSAFPID-51002"
}
}
],
"category": "product_name",
"name": "FAB-Boost mixed installation"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=V22.7",
"product": {
"name": "FAB (Storage) \u003c=V22.7",
"product_id": "CSAFPID-51003"
}
}
],
"category": "product_name",
"name": "FAB (Storage)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=V3.5",
"product": {
"name": "Oseon-Boost mixed installation \u003c=V3.5",
"product_id": "CSAFPID-51004"
}
}
],
"category": "product_name",
"name": "Oseon-Boost mixed installation"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=V3.2",
"product": {
"name": "Oseon (Storage) \u003c=V3.2",
"product_id": "CSAFPID-51005"
}
}
],
"category": "product_name",
"name": "Oseon (Storage)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=V2.31.0",
"product": {
"name": "TruTops Cell \u003c=V2.31.0",
"product_id": "CSAFPID-51006"
}
}
],
"category": "product_name",
"name": "TruTops Cell"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=V12.1",
"product": {
"name": "TruTops Classic \u003c=V12.1",
"product_id": "CSAFPID-51007"
}
}
],
"category": "product_name",
"name": "TruTops Classic"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=V6.2",
"product": {
"name": "TruTops Mark \u003c=V6.2",
"product_id": "CSAFPID-51008"
}
}
],
"category": "product_name",
"name": "TruTops Mark"
}
],
"category": "product_family",
"name": "Software"
}
],
"category": "vendor",
"name": "TRUMPF"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008"
],
"summary": "Affected products."
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-31102",
"cwe": {
"id": "CWE-191",
"name": "Integer Underflow (Wrap or Wraparound)"
},
"notes": [
{
"category": "description",
"text": "Ppmd7.c in 7-Zip before 23.00 allows an integer underflow and invalid read operation via a crafted 7Z archive.",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Please download the replacement tool.\nFor additional questions please contact your TRUMPF Service with the PR number 501709.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008"
]
}
],
"title": "CVE-2023-31102"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…