CVE-2024-37039 - Vulnerability Details - OpenCVE

CWE-252: Unchecked Return Value vulnerability exists that could cause denial of service of the
device when an attacker sends a specially crafted HTTP request.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00535.

Key SSVC decision points have not yet been added.

Vendors	Products
Schneider-electric Subscribe	Sage 1410 Subscribe Sage 1430 Subscribe Sage 1450 Subscribe Sage 2400 Subscribe Sage 3030 Magnum Subscribe Sage 4400 Subscribe Sage Rtu Firmware Subscribe

Configuration 1 [-]

AND

cpe:2.3:o:schneider-electric:sage_rtu_firmware:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:schneider-electric:sage_1410:-:::::::*
	cpe:2.3:h:schneider-electric:sage_1430:-:::::::*
	cpe:2.3:h:schneider-electric:sage_1450:-:::::::*
	cpe:2.3:h:schneider-electric:sage_2400:-:::::::*
	cpe:2.3:h:schneider-electric:sage_3030_magnum:-:::::::*
	cpe:2.3:h:schneider-electric:sage_4400:-:::::::*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-36406	CWE-252: Unchecked Return Value vulnerability exists that could cause denial of service of the device when an attacker sends a specially crafted HTTP request.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-05.pdf

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: schneider

Published: 2024-06-12T16:54:23.117Z

Updated: 2024-08-02T03:43:50.886Z

Reserved: 2024-05-31T06:52:05.762Z

Link: CVE-2024-37039

Vulnrichment

Updated: 2024-08-02T03:43:50.886Z

NVD

Status : Modified

Published: 2024-06-12T17:15:51.313

Modified: 2024-11-21T09:23:06.010

Link: CVE-2024-37039

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-252

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-37039", "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "state": "PUBLISHED", "assignerShortName": "schneider", "dateReserved": "2024-05-31T06:52:05.762Z", "datePublished": "2024-06-12T16:54:23.117Z", "dateUpdated": "2024-08-02T03:43:50.886Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Sage 1410", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "Versions C3414-500-S02K5_P8 and prior"}]}, {"defaultStatus": "unaffected", "product": "Sage 1430", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "Versions C3414-500-S02K5_P8 and prior"}]}, {"defaultStatus": "unaffected", "product": "Sage 1450", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "Versions C3414-500-S02K5_P8 and prior"}]}, {"defaultStatus": "unaffected", "product": "Sage 2400", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "Versions C3414-500-S02K5_P8 and prior"}]}, {"defaultStatus": "unaffected", "product": "Sage 3030 Magnum", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "Versions C3414-500-S02K5_P8 and prior"}]}, {"defaultStatus": "unaffected", "product": "Sage 4400", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "Versions C3414-500-S02K5_P8 and prior"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n\n\n\n\n\n\n\n\nCWE-252: Unchecked Return Value vulnerability exists that could cause denial of service of the\ndevice when an attacker sends a specially crafted HTTP request.\n\n\n\n\n\n\n\n\n\n"}], "value": "CWE-252: Unchecked Return Value vulnerability exists that could cause denial of service of the\ndevice when an attacker sends a specially crafted HTTP request."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-252", "description": "CWE-252 Unchecked Return Value", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider", "dateUpdated": "2024-06-12T16:54:23.117Z"}, "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-05.pdf"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "schneider-electric", "product": "sage_4400", "cpes": ["cpe:2.3:h:schneider-electric:sage_3030_magnum:-:*:*:*:*:*:*:*", "cpe:2.3:h:schneider-electric:sage_1410:-:*:*:*:*:*:*:*", "cpe:2.3:h:schneider-electric:sage_1430:-:*:*:*:*:*:*:*", "cpe:2.3:h:schneider-electric:sage_1450:-:*:*:*:*:*:*:*", "cpe:2.3:h:schneider-electric:sage_2400:-:*:*:*:*:*:*:*", "cpe:2.3:h:schneider-electric:sage_4400:-:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "c3414-500-s02k5_p8", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-12T18:24:08.466465Z", "id": "CVE-2024-37039", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-12T18:33:50.964Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:43:50.886Z"}, "title": "CVE Program Container", "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-05.pdf", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-05.pdf", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:43:50.886Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-37039", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-12T18:24:08.466465Z"}}}], "affected": [{"cpes": ["cpe:2.3:h:schneider-electric:sage_3030_magnum:-:*:*:*:*:*:*:*", "cpe:2.3:h:schneider-electric:sage_1410:-:*:*:*:*:*:*:*", "cpe:2.3:h:schneider-electric:sage_1430:-:*:*:*:*:*:*:*", "cpe:2.3:h:schneider-electric:sage_1450:-:*:*:*:*:*:*:*", "cpe:2.3:h:schneider-electric:sage_2400:-:*:*:*:*:*:*:*", "cpe:2.3:h:schneider-electric:sage_4400:-:*:*:*:*:*:*:*"], "vendor": "schneider-electric", "product": "sage_4400", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "c3414-500-s02k5_p8"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-12T18:23:57.863Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Schneider Electric", "product": "Sage 1410", "versions": [{"status": "affected", "version": "Versions C3414-500-S02K5_P8 and prior"}], "defaultStatus": "unaffected"}, {"vendor": "Schneider Electric", "product": "Sage 1430", "versions": [{"status": "affected", "version": "Versions C3414-500-S02K5_P8 and prior"}], "defaultStatus": "unaffected"}, {"vendor": "Schneider Electric", "product": "Sage 1450", "versions": [{"status": "affected", "version": "Versions C3414-500-S02K5_P8 and prior"}], "defaultStatus": "unaffected"}, {"vendor": "Schneider Electric", "product": "Sage 2400", "versions": [{"status": "affected", "version": "Versions C3414-500-S02K5_P8 and prior"}], "defaultStatus": "unaffected"}, {"vendor": "Schneider Electric", "product": "Sage 3030 Magnum", "versions": [{"status": "affected", "version": "Versions C3414-500-S02K5_P8 and prior"}], "defaultStatus": "unaffected"}, {"vendor": "Schneider Electric", "product": "Sage 4400", "versions": [{"status": "affected", "version": "Versions C3414-500-S02K5_P8 and prior"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-05.pdf"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "CWE-252: Unchecked Return Value vulnerability exists that could cause denial of service of the\ndevice when an attacker sends a specially crafted HTTP request.", "supportingMedia": [{"type": "text/html", "value": "\n\n\n\n\n\n\n\n\n\nCWE-252: Unchecked Return Value vulnerability exists that could cause denial of service of the\ndevice when an attacker sends a specially crafted HTTP request.\n\n\n\n\n\n\n\n\n\n", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-252", "description": "CWE-252 Unchecked Return Value"}]}], "providerMetadata": {"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider", "dateUpdated": "2024-06-12T16:54:23.117Z"}}}, "cveMetadata": {"cveId": "CVE-2024-37039", "state": "PUBLISHED", "dateUpdated": "2024-08-02T03:43:50.886Z", "dateReserved": "2024-05-31T06:52:05.762Z", "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "datePublished": "2024-06-12T16:54:23.117Z", "assignerShortName": "schneider"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:schneider-electric:sage_rtu_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "D4DDD3DD-576C-404E-A132-D1357936A610", "versionEndExcluding": "c3414-500-s02k5_p9", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:schneider-electric:sage_1410:-:*:*:*:*:*:*:*", "matchCriteriaId": "02E606BD-92F8-4396-AD13-666D76E1E34D", "vulnerable": false}, {"criteria": "cpe:2.3:h:schneider-electric:sage_1430:-:*:*:*:*:*:*:*", "matchCriteriaId": "97E29CCC-4E21-411E-80DD-545A66E9B042", "vulnerable": false}, {"criteria": "cpe:2.3:h:schneider-electric:sage_1450:-:*:*:*:*:*:*:*", "matchCriteriaId": "66759867-027F-4FA6-ABA6-BFDEE49E8F8D", "vulnerable": false}, {"criteria": "cpe:2.3:h:schneider-electric:sage_2400:-:*:*:*:*:*:*:*", "matchCriteriaId": "AA561E2A-4787-48D7-ABBB-26D0D7D24E6F", "vulnerable": false}, {"criteria": "cpe:2.3:h:schneider-electric:sage_3030_magnum:-:*:*:*:*:*:*:*", "matchCriteriaId": "453696F2-0F4C-4000-A438-F814D0FC3504", "vulnerable": false}, {"criteria": "cpe:2.3:h:schneider-electric:sage_4400:-:*:*:*:*:*:*:*", "matchCriteriaId": "6462B366-8F9F-49D6-939A-E73C1D5A707C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "CWE-252: Unchecked Return Value vulnerability exists that could cause denial of service of the\ndevice when an attacker sends a specially crafted HTTP request."}, {"lang": "es", "value": "CWE-252: Existe una vulnerabilidad de valor de retorno no verificado que podr\u00eda causar denegaci\u00f3n de servicio del dispositivo cuando un atacante env\u00eda una solicitud HTTP especialmente manipulada."}], "id": "CVE-2024-37039", "lastModified": "2024-11-21T09:23:06.010", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "cybersecurity@se.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-12T17:15:51.313", "references": [{"source": "cybersecurity@se.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-05.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-05.pdf"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-252"}], "source": "cybersecurity@se.com", "type": "Secondary"}]}