CVE-2024-5560 - Vulnerability Details - OpenCVE

CWE-125: Out-of-bounds Read vulnerability exists that could cause denial of service of the
device’s web interface when an attacker sends a specially crafted HTTP request.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00158.

Key SSVC decision points have not yet been added.

Vendors	Products
Schneider-electric	Sage 1410 Sage 1430 Sage 1450 Sage 2400 Sage 3030 Magnum Sage 4400 Sage Rtu Firmware

Configuration 1 [-]

AND

cpe:2.3:o:schneider-electric:sage_rtu_firmware:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:schneider-electric:sage_1410:-:::::::*
	cpe:2.3:h:schneider-electric:sage_1430:-:::::::*
	cpe:2.3:h:schneider-electric:sage_1450:-:::::::*
	cpe:2.3:h:schneider-electric:sage_2400:-:::::::*
	cpe:2.3:h:schneider-electric:sage_3030_magnum:-:::::::*
	cpe:2.3:h:schneider-electric:sage_4400:-:::::::*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-46759	CWE-125: Out-of-bounds Read vulnerability exists that could cause denial of service of the device’s web interface when an attacker sends a specially crafted HTTP request.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-05.pdf

History

No history.

MITRE

Status: PUBLISHED

Assigner: schneider

Published: 2024-06-12T16:45:56.256Z

Updated: 2024-08-01T21:18:06.538Z

Reserved: 2024-05-31T06:58:55.638Z

Link: CVE-2024-5560

Vulnrichment

Updated: 2024-08-01T21:18:06.538Z

NVD

Status : Modified

Published: 2024-06-12T17:15:52.357

Modified: 2024-11-21T09:47:55.983

Link: CVE-2024-5560

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-5560", "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "state": "PUBLISHED", "assignerShortName": "schneider", "dateReserved": "2024-05-31T06:58:55.638Z", "datePublished": "2024-06-12T16:45:56.256Z", "dateUpdated": "2024-08-01T21:18:06.538Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Sage 1410", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "Versions C3414-500-S02K5_P8 and prior"}]}, {"defaultStatus": "unaffected", "product": "Sage 1430", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "Versions C3414-500-S02K5_P8 and prior"}]}, {"defaultStatus": "unaffected", "product": "Sage 1450", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "Versions C3414-500-S02K5_P8 and prior"}]}, {"defaultStatus": "unaffected", "product": "Sage 2400", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "Versions C3414-500-S02K5_P8 and prior"}]}, {"defaultStatus": "unaffected", "product": "Sage 3030 Magnum", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "Versions C3414-500-S02K5_P8 and prior"}]}, {"defaultStatus": "unaffected", "product": "Sage 4400", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "Versions C3414-500-S02K5_P8 and prior"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nCWE-125: Out-of-bounds Read vulnerability exists that could cause denial of service of the\ndevice\u2019s web interface when an attacker sends a specially crafted HTTP request.\n\n"}], "value": "CWE-125: Out-of-bounds Read vulnerability exists that could cause denial of service of the\ndevice\u2019s web interface when an attacker sends a specially crafted HTTP request."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider", "dateUpdated": "2024-06-12T16:45:56.256Z"}, "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-05.pdf"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "schneider-electric", "product": "sage_4400", "cpes": ["cpe:2.3:h:schneider-electric:sage_3030_magnum:-:*:*:*:*:*:*:*", "cpe:2.3:h:schneider-electric:sage_1410:-:*:*:*:*:*:*:*", "cpe:2.3:h:schneider-electric:sage_1430:-:*:*:*:*:*:*:*", "cpe:2.3:h:schneider-electric:sage_1450:-:*:*:*:*:*:*:*", "cpe:2.3:h:schneider-electric:sage_2400:-:*:*:*:*:*:*:*", "cpe:2.3:h:schneider-electric:sage_4400:-:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "c3414-500-s02k5_p8", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-12T18:30:24.462387Z", "id": "CVE-2024-5560", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-12T18:32:10.472Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:18:06.538Z"}, "title": "CVE Program Container", "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-05.pdf", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-05.pdf", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:18:06.538Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5560", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-12T18:30:24.462387Z"}}}], "affected": [{"cpes": ["cpe:2.3:h:schneider-electric:sage_3030_magnum:-:*:*:*:*:*:*:*", "cpe:2.3:h:schneider-electric:sage_1410:-:*:*:*:*:*:*:*", "cpe:2.3:h:schneider-electric:sage_1430:-:*:*:*:*:*:*:*", "cpe:2.3:h:schneider-electric:sage_1450:-:*:*:*:*:*:*:*", "cpe:2.3:h:schneider-electric:sage_2400:-:*:*:*:*:*:*:*", "cpe:2.3:h:schneider-electric:sage_4400:-:*:*:*:*:*:*:*"], "vendor": "schneider-electric", "product": "sage_4400", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "c3414-500-s02k5_p8"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-12T18:30:17.592Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Schneider Electric", "product": "Sage 1410", "versions": [{"status": "affected", "version": "Versions C3414-500-S02K5_P8 and prior"}], "defaultStatus": "unaffected"}, {"vendor": "Schneider Electric", "product": "Sage 1430", "versions": [{"status": "affected", "version": "Versions C3414-500-S02K5_P8 and prior"}], "defaultStatus": "unaffected"}, {"vendor": "Schneider Electric", "product": "Sage 1450", "versions": [{"status": "affected", "version": "Versions C3414-500-S02K5_P8 and prior"}], "defaultStatus": "unaffected"}, {"vendor": "Schneider Electric", "product": "Sage 2400", "versions": [{"status": "affected", "version": "Versions C3414-500-S02K5_P8 and prior"}], "defaultStatus": "unaffected"}, {"vendor": "Schneider Electric", "product": "Sage 3030 Magnum", "versions": [{"status": "affected", "version": "Versions C3414-500-S02K5_P8 and prior"}], "defaultStatus": "unaffected"}, {"vendor": "Schneider Electric", "product": "Sage 4400", "versions": [{"status": "affected", "version": "Versions C3414-500-S02K5_P8 and prior"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-05.pdf"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "CWE-125: Out-of-bounds Read vulnerability exists that could cause denial of service of the\ndevice\u2019s web interface when an attacker sends a specially crafted HTTP request.", "supportingMedia": [{"type": "text/html", "value": "\n\nCWE-125: Out-of-bounds Read vulnerability exists that could cause denial of service of the\ndevice\u2019s web interface when an attacker sends a specially crafted HTTP request.\n\n", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider", "dateUpdated": "2024-06-12T16:45:56.256Z"}}}, "cveMetadata": {"cveId": "CVE-2024-5560", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:18:06.538Z", "dateReserved": "2024-05-31T06:58:55.638Z", "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "datePublished": "2024-06-12T16:45:56.256Z", "assignerShortName": "schneider"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:schneider-electric:sage_rtu_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "D4DDD3DD-576C-404E-A132-D1357936A610", "versionEndExcluding": "c3414-500-s02k5_p9", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:schneider-electric:sage_1410:-:*:*:*:*:*:*:*", "matchCriteriaId": "02E606BD-92F8-4396-AD13-666D76E1E34D", "vulnerable": false}, {"criteria": "cpe:2.3:h:schneider-electric:sage_1430:-:*:*:*:*:*:*:*", "matchCriteriaId": "97E29CCC-4E21-411E-80DD-545A66E9B042", "vulnerable": false}, {"criteria": "cpe:2.3:h:schneider-electric:sage_1450:-:*:*:*:*:*:*:*", "matchCriteriaId": "66759867-027F-4FA6-ABA6-BFDEE49E8F8D", "vulnerable": false}, {"criteria": "cpe:2.3:h:schneider-electric:sage_2400:-:*:*:*:*:*:*:*", "matchCriteriaId": "AA561E2A-4787-48D7-ABBB-26D0D7D24E6F", "vulnerable": false}, {"criteria": "cpe:2.3:h:schneider-electric:sage_3030_magnum:-:*:*:*:*:*:*:*", "matchCriteriaId": "453696F2-0F4C-4000-A438-F814D0FC3504", "vulnerable": false}, {"criteria": "cpe:2.3:h:schneider-electric:sage_4400:-:*:*:*:*:*:*:*", "matchCriteriaId": "6462B366-8F9F-49D6-939A-E73C1D5A707C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "CWE-125: Out-of-bounds Read vulnerability exists that could cause denial of service of the\ndevice\u2019s web interface when an attacker sends a specially crafted HTTP request."}, {"lang": "es", "value": "CWE-125: Existe una vulnerabilidad de lectura fuera de los l\u00edmites que podr\u00eda causar denegaci\u00f3n de servicio de la interfaz web del dispositivo cuando un atacante env\u00eda una solicitud HTTP especialmente manipulada."}], "id": "CVE-2024-5560", "lastModified": "2024-11-21T09:47:55.983", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cybersecurity@se.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-12T17:15:52.357", "references": [{"source": "cybersecurity@se.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-05.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-05.pdf"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "cybersecurity@se.com", "type": "Secondary"}]}