A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). The affected application does not properly sanitize user provided paths for SFTP-based file up- and downloads. This could allow an authenticated remote attacker to manipulate arbitrary files on the filesystem and achieve arbitrary code execution on the device.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 13 Nov 2024 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Siemens
Siemens sinec Ins
CPEs cpe:2.3:a:siemens:sinec_ins:*:*:*:*:*:*:*:*
cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:*
cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:*
cpe:2.3:a:siemens:sinec_ins:1.0:sp2:*:*:*:*:*:*
cpe:2.3:a:siemens:sinec_ins:1.0:sp2_update_1:*:*:*:*:*:*
cpe:2.3:a:siemens:sinec_ins:1.0:sp2_update_2:*:*:*:*:*:*
Vendors & Products Siemens
Siemens sinec Ins

Tue, 12 Nov 2024 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Seimens
Seimens sinec Ins
CPEs cpe:2.3:a:seimens:sinec_ins:*:*:*:*:*:*:*:*
Vendors & Products Seimens
Seimens sinec Ins
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 12 Nov 2024 13:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). The affected application does not properly sanitize user provided paths for SFTP-based file up- and downloads. This could allow an authenticated remote attacker to manipulate arbitrary files on the filesystem and achieve arbitrary code execution on the device.
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: siemens

Published:

Updated: 2024-11-12T14:32:11.296Z

Reserved: 2024-09-12T11:24:19.243Z

Link: CVE-2024-46888

cve-icon Vulnrichment

Updated: 2024-11-12T14:32:03.628Z

cve-icon NVD

Status : Analyzed

Published: 2024-11-12T13:15:08.927

Modified: 2024-11-13T23:11:24.570

Link: CVE-2024-46888

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.