CVE-2024-51447

A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions < V2404.2). The login implementation of the affected application contains an observable response discrepancy vulnerability when validating usernames. This could allow an unauthenticated remote attacker to distinguish between valid and invalid usernames.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://cert-portal.siemens.com/productcert/html/ssa-162255.html	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:siemens:polarion_alm::::::::
	cpe:2.3:a:siemens:polarion_alm:2310:::::::*

History

22 Aug 2025, 20:32

Type	Values Removed	Values Added
First Time		Siemens Siemens polarion Alm
CPE		cpe:2.3:a:siemens:polarion_alm:::::::: cpe:2.3:a:siemens:polarion_alm:2310:::::::*
References	~~() https://cert-portal.siemens.com/productcert/html/ssa-162255.html -~~	() https://cert-portal.siemens.com/productcert/html/ssa-162255.html - Vendor Advisory

13 May 2025, 19:35

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-13 10:15

Updated : 2025-08-22 20:32

NVD link : CVE-2024-51447

Mitre link : CVE-2024-51447

CVE.ORG link : CVE-2024-51447

JSON object : View

Products Affected

siemens

polarion_alm

CWE

CWE-204

Observable Response Discrepancy

{"id": "CVE-2024-51447", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "productcert@siemens.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "productcert@siemens.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-13T10:15:21.940", "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-162255.html", "tags": ["Vendor Advisory"], "source": "productcert@siemens.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "productcert@siemens.com", "description": [{"lang": "en", "value": "CWE-204"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions < V2404.2). The login implementation of the affected application contains an observable response discrepancy vulnerability when validating usernames. This could allow an unauthenticated remote attacker to distinguish between valid and invalid usernames."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en Polarion V2310 (todas las versiones) y Polarion V2404 (todas las versiones anteriores a V2404.2). La implementaci\u00f3n de inicio de sesi\u00f3n de la aplicaci\u00f3n afectada presenta una vulnerabilidad de discrepancia de respuesta observable al validar nombres de usuario. Esto podr\u00eda permitir que un atacante remoto no autenticado distinga entre nombres de usuario v\u00e1lidos e inv\u00e1lidos."}], "lastModified": "2025-08-22T20:32:20.717", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:siemens:polarion_alm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E95EF031-3868-42B5-ABAB-3070454CE68B", "versionEndExcluding": "2410", "versionStartIncluding": "2404"}, {"criteria": "cpe:2.3:a:siemens:polarion_alm:2310:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "94F2782F-B50C-419F-86E2-C3B96EF4AB1F"}], "operator": "OR"}]}], "sourceIdentifier": "productcert@siemens.com"}