CVE-2024-6796 - Vulnerability Details - OpenCVE

In Baxter Connex health portal released before 8/30/2024, an improper access control vulnerability has been found that could allow an unauthenticated attacker to gain unauthorized access to Connex portal's database and/or modify content.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00372.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Baxter	Connex Health Portal
Hillrom	Connex Health Portal

Configuration 1 [-]

cpe:2.3:a:baxter:connex_health_portal:*:*:*:*:*:*:*:*

No data.

No data.

References

Link	Providers
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-249-01

History

Fri, 20 Sep 2024 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Baxter Baxter connex Health Portal
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:baxter:connex_health_portal::::::::
Vendors & Products		Baxter Baxter connex Health Portal

Mon, 09 Sep 2024 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hillrom Hillrom connex Health Portal
CPEs		cpe:2.3:a:hillrom:connex_health_portal::::::::
Vendors & Products		Hillrom Hillrom connex Health Portal
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Sep 2024 19:45:00 +0000

Type	Values Removed	Values Added
Description		In Baxter Connex health portal released before 8/30/2024, an improper access control vulnerability has been found that could allow an unauthenticated attacker to gain unauthorized access to Connex portal's database and/or modify content.
Title		Vulnerability in Baxter Connex Health Portal
Weaknesses		CWE-284
References		https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-249-01
Metrics		cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: Baxter

Published: 2024-09-09T19:28:30.647Z

Updated: 2024-09-09T20:08:22.237Z

Reserved: 2024-07-16T17:54:05.755Z

Link: CVE-2024-6796

Vulnrichment

Updated: 2024-09-09T20:04:14.799Z

NVD

Status : Analyzed

Published: 2024-09-09T20:15:05.470

Modified: 2024-09-20T14:53:11.447

Link: CVE-2024-6796

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6796", "assignerOrgId": "dba971b9-eb30-4121-91e1-3b45611354aa", "state": "PUBLISHED", "assignerShortName": "Baxter", "dateReserved": "2024-07-16T17:54:05.755Z", "datePublished": "2024-09-09T19:28:30.647Z", "dateUpdated": "2024-09-09T20:08:22.237Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Connex Health Portal", "vendor": "Baxter", "versions": [{"lessThan": "8/30/2024", "status": "affected", "version": "0", "versionType": "date"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In Baxter Connex health portal released before 8/30/2024, an improper access control vulnerability has been found that could allow an unauthenticated attacker to gain unauthorized access to Connex portal's database and/or modify content. "}], "value": "In Baxter Connex health portal released before 8/30/2024, an improper access control vulnerability has been found that could allow an unauthenticated attacker to gain unauthorized access to Connex portal's database and/or modify content."}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284 Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dba971b9-eb30-4121-91e1-3b45611354aa", "shortName": "Baxter", "dateUpdated": "2024-09-09T19:28:30.647Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-249-01"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Baxter is unaware of any exploitation of this vulnerability in our product and/or the compromise of personal or health data. Baxter patched all impacted systems promptly to address this vulnerability. No user action is required.\n\n<br>"}], "value": "Baxter is unaware of any exploitation of this vulnerability in our product and/or the compromise of personal or health data. Baxter patched all impacted systems promptly to address this vulnerability. No user action is required."}], "source": {"discovery": "UNKNOWN"}, "title": "Vulnerability in Baxter Connex Health Portal", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "hillrom", "product": "connex_health_portal", "cpes": ["cpe:2.3:a:hillrom:connex_health_portal:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThan": "8.30.2024", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-09T19:51:44.387310Z", "id": "CVE-2024-6796", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-09T20:08:22.237Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6796", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-09T19:51:44.387310Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:hillrom:connex_health_portal:*:*:*:*:*:*:*:*"], "vendor": "hillrom", "product": "connex_health_portal", "versions": [{"status": "affected", "version": "0", "lessThan": "8.30.2024", "versionType": "custom"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-09T20:04:14.799Z"}}], "cna": {"title": "Vulnerability in Baxter Connex Health Portal", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Baxter", "product": "Connex Health Portal", "versions": [{"status": "affected", "version": "0", "lessThan": "8/30/2024", "versionType": "date"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Baxter is unaware of any exploitation of this vulnerability in our product and/or the compromise of personal or health data. Baxter patched all impacted systems promptly to address this vulnerability. No user action is required.", "supportingMedia": [{"type": "text/html", "value": "Baxter is unaware of any exploitation of this vulnerability in our product and/or the compromise of personal or health data. Baxter patched all impacted systems promptly to address this vulnerability. No user action is required.\n\n<br>", "base64": false}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-249-01"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "In Baxter Connex health portal released before 8/30/2024, an improper access control vulnerability has been found that could allow an unauthenticated attacker to gain unauthorized access to Connex portal's database and/or modify content.", "supportingMedia": [{"type": "text/html", "value": "In Baxter Connex health portal released before 8/30/2024, an improper access control vulnerability has been found that could allow an unauthenticated attacker to gain unauthorized access to Connex portal's database and/or modify content. ", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "dba971b9-eb30-4121-91e1-3b45611354aa", "shortName": "Baxter", "dateUpdated": "2024-09-09T19:28:30.647Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6796", "state": "PUBLISHED", "dateUpdated": "2024-09-09T20:08:22.237Z", "dateReserved": "2024-07-16T17:54:05.755Z", "assignerOrgId": "dba971b9-eb30-4121-91e1-3b45611354aa", "datePublished": "2024-09-09T19:28:30.647Z", "assignerShortName": "Baxter"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:baxter:connex_health_portal:*:*:*:*:*:*:*:*", "matchCriteriaId": "21E3F634-BFB7-4605-91ED-E03F8EA2E7C4", "versionEndExcluding": "2024-08-30", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Baxter Connex health portal released before 8/30/2024, an improper access control vulnerability has been found that could allow an unauthenticated attacker to gain unauthorized access to Connex portal's database and/or modify content."}, {"lang": "es", "value": "En el portal de salud Baxter Connex publicado antes del 30/8/2024, se encontr\u00f3 una vulnerabilidad de control de acceso inadecuado que podr\u00eda permitir que un atacante no autenticado obtenga acceso no autorizado a la base de datos del portal Connex y/o modifique el contenido."}], "id": "CVE-2024-6796", "lastModified": "2024-09-20T14:53:11.447", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "productsecurity@baxter.com", "type": "Secondary"}]}, "published": "2024-09-09T20:15:05.470", "references": [{"source": "productsecurity@baxter.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-249-01"}], "sourceIdentifier": "productsecurity@baxter.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "productsecurity@baxter.com", "type": "Secondary"}]}