CVE-2024-5558 - Vulnerability Details - OpenCVE

CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability exists that could
cause escalation of privileges when an attacker abuses a limited admin account.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00068.

Key SSVC decision points have not yet been added.

Vendors	Products
Schneider-electric	Spacelogic As-b Spacelogic As-b Firmware Spacelogic As-p Spacelogic As-p Firmware

Configuration 1 [-]

AND

cpe:2.3:o:schneider-electric:spacelogic_as-b_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:schneider-electric:spacelogic_as-b:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:schneider-electric:spacelogic_as-p_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:schneider-electric:spacelogic_as-p:-:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-46757	CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability exists that could cause escalation of privileges when an attacker abuses a limited admin account.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-04.pdf

History

No history.

MITRE

Status: PUBLISHED

Assigner: schneider

Published: 2024-06-12T16:26:26.294Z

Updated: 2024-08-01T21:18:06.335Z

Reserved: 2024-05-31T06:58:47.453Z

Link: CVE-2024-5558

Vulnrichment

Updated: 2024-08-01T21:18:06.335Z

NVD

Status : Modified

Published: 2024-06-12T17:15:52.160

Modified: 2024-11-21T09:47:55.700

Link: CVE-2024-5558

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-5558", "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "state": "PUBLISHED", "assignerShortName": "schneider", "dateReserved": "2024-05-31T06:58:47.453Z", "datePublished": "2024-06-12T16:26:26.294Z", "dateUpdated": "2024-08-01T21:18:06.335Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SpaceLogic AS-P", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "V5.0.3 and prior"}]}, {"defaultStatus": "unaffected", "product": "SpaceLogic AS-B", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "V5.0.3 and prior"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nCWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability exists that could\ncause escalation of privileges when an attacker abuses a limited admin account.\n\n"}], "value": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability exists that could\ncause escalation of privileges when an attacker abuses a limited admin account."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-367", "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider", "dateUpdated": "2024-06-12T16:26:26.294Z"}, "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-04.pdf"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "schneider-electric", "product": "spacelogic_as-b", "cpes": ["cpe:2.3:h:schneider-electric:spacelogic_as-b:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.0.3", "versionType": "custom"}]}, {"vendor": "schneider-electric", "product": "spacelogic_as-p", "cpes": ["cpe:2.3:h:schneider-electric:spacelogic_as-p:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.0.3", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-12T18:07:10.554620Z", "id": "CVE-2024-5558", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-23T16:20:36.411Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:18:06.335Z"}, "title": "CVE Program Container", "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-04.pdf", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-04.pdf", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:18:06.335Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5558", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-12T18:07:10.554620Z"}}}], "affected": [{"cpes": ["cpe:2.3:h:schneider-electric:spacelogic_as-b:*:*:*:*:*:*:*:*"], "vendor": "schneider-electric", "product": "spacelogic_as-b", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "5.0.3"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:h:schneider-electric:spacelogic_as-p:*:*:*:*:*:*:*:*"], "vendor": "schneider-electric", "product": "spacelogic_as-p", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "5.0.3"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-12T18:07:04.758Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Schneider Electric", "product": "SpaceLogic AS-P", "versions": [{"status": "affected", "version": "V5.0.3 and prior"}], "defaultStatus": "unaffected"}, {"vendor": "Schneider Electric", "product": "SpaceLogic AS-B", "versions": [{"status": "affected", "version": "V5.0.3 and prior"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-04.pdf"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability exists that could\ncause escalation of privileges when an attacker abuses a limited admin account.", "supportingMedia": [{"type": "text/html", "value": "\n\nCWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability exists that could\ncause escalation of privileges when an attacker abuses a limited admin account.\n\n", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition"}]}], "providerMetadata": {"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider", "dateUpdated": "2024-06-12T16:26:26.294Z"}}}, "cveMetadata": {"cveId": "CVE-2024-5558", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:18:06.335Z", "dateReserved": "2024-05-31T06:58:47.453Z", "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "datePublished": "2024-06-12T16:26:26.294Z", "assignerShortName": "schneider"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:schneider-electric:spacelogic_as-b_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "5BD47138-7C8F-4D8B-A669-74395596363D", "versionEndExcluding": "6.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:schneider-electric:spacelogic_as-b:-:*:*:*:*:*:*:*", "matchCriteriaId": "A50B62A0-A6FB-4AB4-94A0-D054C5ADB015", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:schneider-electric:spacelogic_as-p_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "CA1ABCFA-8D7D-4288-AA9F-FF1B177DBB4E", "versionEndExcluding": "6.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:schneider-electric:spacelogic_as-p:-:*:*:*:*:*:*:*", "matchCriteriaId": "E516910C-FC39-46FA-82A5-0BF3546FDF33", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability exists that could\ncause escalation of privileges when an attacker abuses a limited admin account."}, {"lang": "es", "value": "CWE-367: Existe una vulnerabilidad de condici\u00f3n de ejecuci\u00f3n de tiempo de verificaci\u00f3n y tiempo de uso (TOCTOU) que podr\u00eda provocar una escalada de privilegios cuando un atacante abusa de una cuenta de administrador limitada."}], "id": "CVE-2024-5558", "lastModified": "2024-11-21T09:47:55.700", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 5.9, "source": "cybersecurity@se.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-12T17:15:52.160", "references": [{"source": "cybersecurity@se.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-04.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-04.pdf"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "cybersecurity@se.com", "type": "Secondary"}]}