CVE-2024-3980

The MicroSCADA Pro/X SYS600 product allows an authenticated user input to control or influence paths or file names that are used in filesystem operations. If exploited the vulnerability allows the attacker to access or modify system files or other files that are critical to the application.

CVSS v3 9.9 CRITICAL

9.9^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://publisher.hitachienergy.com/preview?DocumentID=8DBD000160&LanguageCode=en&DocumentPartId=&Action=Launch	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.4:fixpack_1::::::
	cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.4:fixpack_2_hf1::::::
	cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.4:fixpack_2_hf2::::::
	cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.4:fixpack_2_hf3::::::
	cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.4:fixpack_2_hf4::::::
	cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.4:fixpack_2_hf5::::::
	cpe:2.3:a:hitachienergy:microscada_x_sys600::::::::

History

No history.

Information

Published : 2024-08-27 13:15

Updated : 2024-10-30 15:33

NVD link : CVE-2024-3980

Mitre link : CVE-2024-3980

CVE.ORG link : CVE-2024-3980

JSON object : View

Products Affected

hitachienergy

microscada_pro_sys600
microscada_x_sys600

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2024-3980", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cybersecurity@hitachienergy.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-08-27T13:15:05.210", "references": [{"url": "https://publisher.hitachienergy.com/preview?DocumentID=8DBD000160&LanguageCode=en&DocumentPartId=&Action=Launch", "tags": ["Vendor Advisory"], "source": "cybersecurity@hitachienergy.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cybersecurity@hitachienergy.com", "description": [{"lang": "en", "value": "CWE-22"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "The MicroSCADA Pro/X SYS600 product allows an authenticated user input to control or influence paths or file names\nthat are used in filesystem operations. If exploited the vulnerability allows the attacker to access or modify system files or\nother files that are critical to the application."}, {"lang": "es", "value": "El producto permite que el usuario controle o influya en las rutas o nombres de archivos que se utilizan en las operaciones del sistema de archivos, lo que permite al atacante acceder o modificar archivos del sistema u otros archivos que son cr\u00edticos para la aplicaci\u00f3n."}], "lastModified": "2024-10-30T15:33:12.697", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.4:fixpack_1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BC4CE02B-F8CF-4A9E-B9FC-AEFE59F4BCE2"}, {"criteria": "cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.4:fixpack_2_hf1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0B90ED6E-68E4-4C14-B275-F44BAC1B9C5C"}, {"criteria": "cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.4:fixpack_2_hf2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "196E08EA-807C-4B7B-981A-96D106AC328B"}, {"criteria": "cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.4:fixpack_2_hf3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "680FAE83-9D7A-4AD9-AFBE-480FD105ADC9"}, {"criteria": "cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.4:fixpack_2_hf4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "014C8428-8F88-4C3D-B9B1-87DE26867471"}, {"criteria": "cpe:2.3:a:hitachienergy:microscada_pro_sys600:9.4:fixpack_2_hf5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "06AFA271-0785-4526-B7DA-FA00672CC5B5"}, {"criteria": "cpe:2.3:a:hitachienergy:microscada_x_sys600:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AEAAFA90-ACFF-47E2-A23D-728912D74B99", "versionEndExcluding": "10.6", "versionStartIncluding": "10.0"}], "operator": "OR"}]}], "sourceIdentifier": "cybersecurity@hitachienergy.com"}