CVE-2024-5056 - Vulnerability Details

Description

CWE-552: Files or Directories Accessible to External Parties vulnerability exists which may
prevent user to update the device firmware and prevent proper behavior of the webserver when
specific files or directories are removed from the filesystem.

Published: 2024-06-12

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Schneider Electric

Modicon M340

unaffected

Version	Status	Constraints
`All versions`	affected	—

Schneider Electric

Network module, Modicon M340, Modbus/TCP BMXNOE0100

unaffected

Version	Status	Constraints
`All versions`	affected	—

Schneider Electric

Network module, Modicon M340, Ethernet TCP/IP BMXNOE0110

unaffected

Version	Status	Constraints
`All Versions`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:schneider-electric:modicon_m340_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:schneider-electric:modicon_m340:*:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:schneider-electric:bmxnoe0100_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:schneider-electric:bmxnoe0100:*:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:schneider-electric:bmxnoe0110_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:schneider-electric:bmxnoe0110:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-46320	CWE-552: Files or Directories Accessible to External Parties vulnerability exists which may prevent user to update the device firmware and prevent proper behavior of the webserver when specific files or directories are removed from the filesystem.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00119.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-01.pdf

History

Fri, 23 Aug 2024 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Schneider-electric Schneider-electric bmxnoe0100 Schneider-electric bmxnoe0100 Firmware Schneider-electric bmxnoe0110 Schneider-electric bmxnoe0110 Firmware Schneider-electric modicon M340 Schneider-electric modicon M340 Firmware
CPEs		cpe:2.3:h:schneider-electric:bmxnoe0100:::::::: cpe:2.3:h:schneider-electric:bmxnoe0110:::::::: cpe:2.3:h:schneider-electric:modicon_m340:::::::: cpe:2.3:o:schneider-electric:bmxnoe0100_firmware:::::::: cpe:2.3:o:schneider-electric:bmxnoe0110_firmware:::::::: cpe:2.3:o:schneider-electric:modicon_m340_firmware::::::::
Vendors & Products		Schneider-electric Schneider-electric bmxnoe0100 Schneider-electric bmxnoe0100 Firmware Schneider-electric bmxnoe0110 Schneider-electric bmxnoe0110 Firmware Schneider-electric modicon M340 Schneider-electric modicon M340 Firmware

Subscriptions

Schneider-electric Bmxnoe0100 Bmxnoe0100 Firmware Bmxnoe0110 Bmxnoe0110 Firmware Modicon M340 Modicon M340 Firmware

MITRE

Status: PUBLISHED

Assigner: schneider

Published: 2024-06-12T12:10:43.250Z

Updated: 2024-08-01T21:03:10.683Z

Reserved: 2024-05-17T10:06:08.565Z

Link: CVE-2024-5056

Vulnrichment

Updated: 2024-08-01T21:03:10.683Z

NVD

Status : Modified

Published: 2024-06-12T12:15:10.233

Modified: 2024-11-21T09:46:52.267

Link: CVE-2024-5056

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-552

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object