CVE-2024-21870

A file write vulnerability exists in the OAS Engine Tags Configuration functionality of Open Automation Software OAS Platform V19.00.0057. A specially crafted series of network requests can lead to arbitrary file creation or overwrite. An attacker can send a sequence of requests to trigger this vulnerability.

CVSS v3 4.9 MEDIUM

4.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://talosintelligence.com/vulnerability_reports/TALOS-2024-1950	Exploit Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2024-1950	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openautomationsoftware:open_automation_software:19.0.0.57:*:*:*:*:*:*:*

History

23 Jan 2025, 16:56

Type	Values Removed	Values Added
First Time		Openautomationsoftware Openautomationsoftware open Automation Software
CPE		cpe:2.3:a:openautomationsoftware:open_automation_software:19.0.0.57:::::::*
CWE		NVD-CWE-Other
References	~~() https://talosintelligence.com/vulnerability_reports/TALOS-2024-1950 -~~	() https://talosintelligence.com/vulnerability_reports/TALOS-2024-1950 - Exploit, Third Party Advisory

Information

Published : 2024-04-03 14:15

Updated : 2025-01-23 16:56

NVD link : CVE-2024-21870

Mitre link : CVE-2024-21870

CVE.ORG link : CVE-2024-21870

JSON object : View

Products Affected

openautomationsoftware

open_automation_software

CWE

CWE-73

External Control of File Name or Path

NVD-CWE-Other

{"id": "CVE-2024-21870", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "talos-cna@cisco.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.2}]}, "published": "2024-04-03T14:15:13.917", "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1950", "tags": ["Exploit", "Third Party Advisory"], "source": "talos-cna@cisco.com"}, {"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1950", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "talos-cna@cisco.com", "description": [{"lang": "en", "value": "CWE-73"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "A file write vulnerability exists in the OAS Engine Tags Configuration functionality of Open Automation Software OAS Platform V19.00.0057. A specially crafted series of network requests can lead to arbitrary file creation or overwrite. An attacker can send a sequence of requests to trigger this vulnerability."}, {"lang": "es", "value": "Existe una vulnerabilidad de escritura de archivos en la funcionalidad de configuraci\u00f3n de etiquetas del motor OAS de Open Automation Software OAS Platform V19.00.0057. Una serie de solicitudes de red especialmente manipuladas pueden provocar la creaci\u00f3n o sobrescritura de archivos arbitrarios. Un atacante puede enviar una secuencia de solicitudes para desencadenar esta vulnerabilidad."}], "lastModified": "2025-01-23T16:56:30.133", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openautomationsoftware:open_automation_software:19.0.0.57:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "98468F0E-605A-47FA-877E-5FA039E1FB4B"}], "operator": "OR"}]}], "sourceIdentifier": "talos-cna@cisco.com"}