CVE-2024-9579

A potential vulnerability was discovered in certain Poly video conferencing devices. The firmware flaw does not properly sanitize user input. The exploitation of this vulnerability is dependent on a layered attack and cannot be exploited by itself.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.6 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://support.hp.com/us-en/document/ish_11536495-11536533-16/hpsbpy03900	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:hp:poly_tc8_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:hp:poly_tc8:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:hp:poly_tc10_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:hp:poly_tc10:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:hp:poly_studio_g7500_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:hp:poly_studio_g7500:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:hp:poly_studio_x30_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:hp:poly_studio_x30:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:hp:poly_studio_x50_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:hp:poly_studio_x50:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:hp:poly_studio_x70_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:hp:poly_studio_x70:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:hp:poly_studio_x52_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:hp:poly_studio_x52:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:o:hp:poly_studio_g62_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:hp:poly_studio_g62:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-11-05 17:15

Updated : 2024-11-08 18:08

NVD link : CVE-2024-9579

Mitre link : CVE-2024-9579

CVE.ORG link : CVE-2024-9579

JSON object : View

Products Affected

hp

poly_studio_g7500
poly_studio_x50
poly_studio_x30
poly_studio_x70_firmware
poly_studio_g62_firmware
poly_studio_x30_firmware
poly_tc8
poly_studio_g62
poly_tc10
poly_tc8_firmware
poly_studio_x50_firmware
poly_studio_g7500_firmware
poly_studio_x70
poly_studio_x52_firmware
poly_tc10_firmware
poly_studio_x52

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

{"id": "CVE-2024-9579", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "hp-security-alert@hp.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.6}]}, "published": "2024-11-05T17:15:07.667", "references": [{"url": "https://support.hp.com/us-en/document/ish_11536495-11536533-16/hpsbpy03900", "tags": ["Vendor Advisory"], "source": "hp-security-alert@hp.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "hp-security-alert@hp.com", "description": [{"lang": "en", "value": "CWE-77"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-77"}]}], "descriptions": [{"lang": "en", "value": "A potential vulnerability was discovered in certain Poly video conferencing devices. The firmware flaw does not properly sanitize user input. The exploitation of this vulnerability is dependent on a layered attack and cannot be exploited by itself."}, {"lang": "es", "value": " Se descubri\u00f3 una vulnerabilidad potencial en ciertos dispositivos de videoconferencia de Poly. El fallo del firmware no desinfecta adecuadamente la entrada del usuario. La explotaci\u00f3n de esta vulnerabilidad depende de un ataque en capas y no puede explotarse por s\u00ed sola."}], "lastModified": "2024-11-08T18:08:02.683", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:hp:poly_tc8_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6DCF1C57-F138-4118-BAA6-7286BA78F8DC", "versionEndExcluding": "6.3.2"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:hp:poly_tc8:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F053C475-D941-4D4B-B433-8D67CD9A2C71"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:hp:poly_tc10_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BC9FC9F3-5FB5-4E3B-9AF3-72BF90FAC13F", "versionEndExcluding": "6.3.2"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:hp:poly_tc10:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "5E9083C3-3142-494C-827C-56576ADFCA93"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:hp:poly_studio_g7500_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FCE079BE-F301-4CB3-AEF4-7A1F8BF52F0E", "versionEndExcluding": "4.3.2"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:hp:poly_studio_g7500:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "C0B27E0D-4C00-42F8-8772-1C0B1D0F64FC"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:hp:poly_studio_x30_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "78D5810F-7044-4A7C-81E8-BF05F2163B5A", "versionEndIncluding": "4.3.2"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:hp:poly_studio_x30:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "58648CB8-9564-4EAB-8049-65B048EF8000"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:hp:poly_studio_x50_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "242A2E5D-D761-458E-BA4A-53F8DFF3B0A7", "versionEndExcluding": "4.3.2"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:hp:poly_studio_x50:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "1424706A-4E51-4513-B962-59E9ABDD71E7"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:hp:poly_studio_x70_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "520E74F3-26F8-408C-93AD-516373EACDF1", "versionEndExcluding": "4.3.2"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:hp:poly_studio_x70:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "8A94CC22-4C6E-4415-9AB3-E0A3EC7BD672"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:hp:poly_studio_x52_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "383C1531-70D5-4BB2-AB8D-49D92E661739", "versionEndExcluding": "4.3.2"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:hp:poly_studio_x52:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "06C69912-7DB0-4510-884B-3FFF7AC6B1FB"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:hp:poly_studio_g62_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5315BF05-1706-4A5B-9A9D-104AEDDC2C5C", "versionEndExcluding": "4.3.2"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:hp:poly_studio_g62:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "FF7F293C-3F38-40DB-B909-F6E0C32219E0"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "hp-security-alert@hp.com"}