{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-3467", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2024-04-08T15:55:44.665Z", "datePublished": "2024-06-12T21:04:26.635Z", "dateUpdated": "2024-08-01T20:12:07.612Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "PI Asset Framework Client", "vendor": "AVEVA", "versions": [{"status": "affected", "version": "2023"}, {"lessThanOrEqual": "2018 SP3 P04", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "AVEVA reported this vulnerability to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">There is a vulnerability in AVEVA PI Asset Framework Client that could allow malicious code to execute on the PI System Explorer environment under the privileges of an interactive user that was socially engineered to import XML supplied by an attacker.</span>"}], "value": "There is a vulnerability in AVEVA PI Asset Framework Client that could allow malicious code to execute on the PI System Explorer environment under the privileges of an interactive user that was socially engineered to import XML supplied by an attacker."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 7, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-06-12T21:04:26.635Z"}, "references": [{"tags": ["government-resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-03"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p></p>\n\n<p>AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Customers using affected products should apply security updates as soon as possible:</p><ul><li>(Recommended) All affected versions can be fixed by upgrading to PI AF Client 2023 Patch 1 or later:<br>From <a target=\"_blank\" rel=\"nofollow\" href=\"https://my.osisoft.com/\">OSI Soft Customer Portal</a>, search for \"Asset Framework\" and select \"PI Asset Framework (AF) Client 2023 Patch 1\" or later.</li><li>(Alternative) AF Client 2018 SP3 P04 and prior can be fixed by deploying PI AF Client 2018 SP3 Patch 5 or later:<br>From <a target=\"_blank\" rel=\"nofollow\" href=\"https://my.osisoft.com/\">OSI Soft Customer Portal</a>, search for \"Asset Framework\" and select either \"PI Asset Framework (AF) Client 2018 SP3 Patch 5\" or later.</li></ul><p>AVEVA further recommends users follow general defensive measures:</p><ul><li>Run PI System Explorer as a least privilege interactive account when possible.</li><li>Establish procedures for verifying the source of XML is trusted before importing into PI System Explorer.</li></ul><p>For additional information please refer to <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.aveva.com/en/support-and-success/cyber-security-updates/\">AVEVA-2024-004</a></p>"}], "value": "AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Customers using affected products should apply security updates as soon as possible:\n\n * (Recommended) All affected versions can be fixed by upgrading to PI AF Client 2023 Patch 1 or later:\nFrom OSI Soft Customer Portal https://my.osisoft.com/ , search for \"Asset Framework\" and select \"PI Asset Framework (AF) Client 2023 Patch 1\" or later.\n * (Alternative) AF Client 2018 SP3 P04 and prior can be fixed by deploying PI AF Client 2018 SP3 Patch 5 or later:\nFrom OSI Soft Customer Portal https://my.osisoft.com/ , search for \"Asset Framework\" and select either \"PI Asset Framework (AF) Client 2018 SP3 Patch 5\" or later.\n\n\nAVEVA further recommends users follow general defensive measures:\n\n * Run PI System Explorer as a least privilege interactive account when possible.\n * Establish procedures for verifying the source of XML is trusted before importing into PI System Explorer.\n\n\nFor additional information please refer to AVEVA-2024-004 https://www.aveva.com/en/support-and-success/cyber-security-updates/"}], "source": {"discovery": "UNKNOWN"}, "title": "Deserialization of Untrusted Data in AVEVA PI Asset Framework Client", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "aveva", "product": "pi_asset_framework_client", "cpes": ["cpe:2.3:a:aveva:pi_asset_framework_client:2023:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "2023", "status": "affected"}]}, {"vendor": "aveva", "product": "pi_asset_framework_client", "cpes": ["cpe:2.3:a:aveva:pi_asset_framework_client:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2018", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-03T18:12:24.328615Z", "id": "CVE-2024-3467", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-03T18:32:56.636Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:12:07.612Z"}, "title": "CVE Program Container", "references": [{"tags": ["government-resource", "x_transferred"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-03"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-03", "tags": ["government-resource", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:12:07.612Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3467", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-03T18:12:24.328615Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:aveva:pi_asset_framework_client:2023:*:*:*:*:*:*:*"], "vendor": "aveva", "product": "pi_asset_framework_client", "versions": [{"status": "affected", "version": "2023"}], "defaultStatus": "unaffected"}, {"cpes": ["cpe:2.3:a:aveva:pi_asset_framework_client:*:*:*:*:*:*:*:*"], "vendor": "aveva", "product": "pi_asset_framework_client", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2018"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-03T18:32:51.155Z"}}], "cna": {"title": "Deserialization of Untrusted Data in AVEVA PI Asset Framework Client", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "AVEVA reported this vulnerability to CISA."}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "AVEVA", "product": "PI Asset Framework Client", "versions": [{"status": "affected", "version": "2023"}, {"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2018 SP3 P04"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Customers using affected products should apply security updates as soon as possible:\n\n * (Recommended) All affected versions can be fixed by upgrading to PI AF Client 2023 Patch 1 or later:\nFrom OSI Soft Customer Portal https://my.osisoft.com/ , search for \"Asset Framework\" and select \"PI Asset Framework (AF) Client 2023 Patch 1\" or later.\n * (Alternative) AF Client 2018 SP3 P04 and prior can be fixed by deploying PI AF Client 2018 SP3 Patch 5 or later:\nFrom OSI Soft Customer Portal https://my.osisoft.com/ , search for \"Asset Framework\" and select either \"PI Asset Framework (AF) Client 2018 SP3 Patch 5\" or later.\n\n\nAVEVA further recommends users follow general defensive measures:\n\n * Run PI System Explorer as a least privilege interactive account when possible.\n * Establish procedures for verifying the source of XML is trusted before importing into PI System Explorer.\n\n\nFor additional information please refer to AVEVA-2024-004 https://www.aveva.com/en/support-and-success/cyber-security-updates/", "supportingMedia": [{"type": "text/html", "value": "<p></p>\n\n<p>AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Customers using affected products should apply security updates as soon as possible:</p><ul><li>(Recommended) All affected versions can be fixed by upgrading to PI AF Client 2023 Patch 1 or later:<br>From <a target=\"_blank\" rel=\"nofollow\" href=\"https://my.osisoft.com/\">OSI Soft Customer Portal</a>, search for \"Asset Framework\" and select \"PI Asset Framework (AF) Client 2023 Patch 1\" or later.</li><li>(Alternative) AF Client 2018 SP3 P04 and prior can be fixed by deploying PI AF Client 2018 SP3 Patch 5 or later:<br>From <a target=\"_blank\" rel=\"nofollow\" href=\"https://my.osisoft.com/\">OSI Soft Customer Portal</a>, search for \"Asset Framework\" and select either \"PI Asset Framework (AF) Client 2018 SP3 Patch 5\" or later.</li></ul><p>AVEVA further recommends users follow general defensive measures:</p><ul><li>Run PI System Explorer as a least privilege interactive account when possible.</li><li>Establish procedures for verifying the source of XML is trusted before importing into PI System Explorer.</li></ul><p>For additional information please refer to <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.aveva.com/en/support-and-success/cyber-security-updates/\">AVEVA-2024-004</a></p>", "base64": false}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-03", "tags": ["government-resource"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "There is a vulnerability in AVEVA PI Asset Framework Client that could allow malicious code to execute on the PI System Explorer environment under the privileges of an interactive user that was socially engineered to import XML supplied by an attacker.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">There is a vulnerability in AVEVA PI Asset Framework Client that could allow malicious code to execute on the PI System Explorer environment under the privileges of an interactive user that was socially engineered to import XML supplied by an attacker.</span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-06-12T21:04:26.635Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3467", "state": "PUBLISHED", "dateUpdated": "2024-08-01T20:12:07.612Z", "dateReserved": "2024-04-08T15:55:44.665Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2024-06-12T21:04:26.635Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:aveva:pi_asset_framework_client:2018:sp3_patch_4:*:*:*:*:*:*", "matchCriteriaId": "AB4DB2C1-BFA8-4CCB-A1A7-D14AD828DA02", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:pi_asset_framework_client:2023:*:*:*:*:*:*:*", "matchCriteriaId": "CF232070-675E-4886-A190-6B5A04DCC729", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "There is a vulnerability in AVEVA PI Asset Framework Client that could allow malicious code to execute on the PI System Explorer environment under the privileges of an interactive user that was socially engineered to import XML supplied by an attacker."}, {"lang": "es", "value": "Existe una vulnerabilidad en AVEVA PI Asset Framework Client que podr\u00eda permitir que se ejecute c\u00f3digo malicioso en el entorno de PI System Explorer bajo los privilegios de un usuario interactivo que fue manipulado socialmente para importar XML proporcionado por un atacante."}], "id": "CVE-2024-3467", "lastModified": "2024-10-03T19:47:06.097", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2024-06-12T21:15:50.617", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-03"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}

{}