OpenCVE

SpiderControl SCADA Web Server has a vulnerability that could allow an attacker to upload specially crafted malicious files without authentication.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Spidercontrol	Scada Webserver

No data.

No data.

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-24-254-02

History

Thu, 12 Sep 2024 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Spidercontrol Spidercontrol scada Webserver
CPEs		cpe:2.3:a:spidercontrol:scada_webserver::::::::
Vendors & Products		Spidercontrol Spidercontrol scada Webserver
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 10 Sep 2024 20:00:00 +0000

Type	Values Removed	Values Added
Description		SpiderControl SCADA Web Server has a vulnerability that could allow an attacker to upload specially crafted malicious files without authentication.
Title		iniNet Solutions SpiderControl SCADA Web Server Unrestricted Upload of File with Dangerous Type
Weaknesses		CWE-434
References		https://www.cisa.gov/news-events/ics-advisories/icsa-24-254-02
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}` cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2024-09-10T19:44:18.096Z

Updated: 2024-09-12T13:36:10.295Z

Reserved: 2024-08-27T13:40:41.730Z

Link: CVE-2024-8232

Vulnrichment

Updated: 2024-09-12T13:36:04.981Z

NVD

Status : Awaiting Analysis

Published: 2024-09-10T20:15:05.060

Modified: 2024-09-11T16:26:11.920

Link: CVE-2024-8232

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-8232", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2024-08-27T13:40:41.730Z", "datePublished": "2024-09-10T19:44:18.096Z", "dateUpdated": "2024-09-12T13:36:10.295Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SpiderControl SCADA Web Server", "vendor": "iniNet Solutions GmbH", "versions": [{"lessThanOrEqual": "v2.09", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "elcazators ELEX FEIGONG RESEARCH INSTITUTE of Elex CyberSecurity, Inc reported this vulnerability to CERT/CC."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "SpiderControl SCADA Web Server has a vulnerability that could allow an \nattacker to upload specially crafted malicious files without \nauthentication."}], "value": "SpiderControl SCADA Web Server has a vulnerability that could allow an \nattacker to upload specially crafted malicious files without \nauthentication."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-09-10T19:44:18.096Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-254-02"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "IniNet Solutions has released a new version of SpiderControl SCADA \nServer, (3.2.2), to address this issue. It can be found at the following\n location: <a target=\"_blank\" rel=\"nofollow\" href=\"https://spidercontrol.net/download/download-area-2/?lang=en\">https://spidercontrol.net/download/download-area-2/?lang=en</a>\n\n<br>"}], "value": "IniNet Solutions has released a new version of SpiderControl SCADA \nServer, (3.2.2), to address this issue. It can be found at the following\n location: https://spidercontrol.net/download/download-area-2/?lang=en"}], "source": {"advisory": "ICSA-24-254-02", "discovery": "EXTERNAL"}, "title": "iniNet Solutions SpiderControl SCADA Web Server Unrestricted Upload of File with Dangerous Type", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "IniNet Solutions reminds users that the webserver is designed to be used\n in a protected environment. IniNet Solutions GmbH recommends that users\n never connect control system software directly to the Internet. If a \nuser must connect to the Internet, IniNet Solutions GmbH recommends \nusing a managed infrastructure to do so.\n\n<br>"}], "value": "IniNet Solutions reminds users that the webserver is designed to be used\n in a protected environment. IniNet Solutions GmbH recommends that users\n never connect control system software directly to the Internet. If a \nuser must connect to the Internet, IniNet Solutions GmbH recommends \nusing a managed infrastructure to do so."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "spidercontrol", "product": "scada_webserver", "cpes": ["cpe:2.3:a:spidercontrol:scada_webserver:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.09", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-12T13:34:02.939872Z", "id": "CVE-2024-8232", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-12T13:36:10.295Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-8232", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-12T13:34:02.939872Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:spidercontrol:scada_webserver:*:*:*:*:*:*:*:*"], "vendor": "spidercontrol", "product": "scada_webserver", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.09"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-12T13:36:04.981Z"}}], "cna": {"title": "iniNet Solutions SpiderControl SCADA Web Server Unrestricted Upload of File with Dangerous Type", "source": {"advisory": "ICSA-24-254-02", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "elcazators ELEX FEIGONG RESEARCH INSTITUTE of Elex CyberSecurity, Inc reported this vulnerability to CERT/CC."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "iniNet Solutions GmbH", "product": "SpiderControl SCADA Web Server", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "v2.09"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "IniNet Solutions has released a new version of SpiderControl SCADA \nServer, (3.2.2), to address this issue. It can be found at the following\n location: https://spidercontrol.net/download/download-area-2/?lang=en", "supportingMedia": [{"type": "text/html", "value": "IniNet Solutions has released a new version of SpiderControl SCADA \nServer, (3.2.2), to address this issue. It can be found at the following\n location: <a target=\"_blank\" rel=\"nofollow\" href=\"https://spidercontrol.net/download/download-area-2/?lang=en\">https://spidercontrol.net/download/download-area-2/?lang=en</a>\n\n<br>", "base64": false}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-254-02"}], "workarounds": [{"lang": "en", "value": "IniNet Solutions reminds users that the webserver is designed to be used\n in a protected environment. IniNet Solutions GmbH recommends that users\n never connect control system software directly to the Internet. If a \nuser must connect to the Internet, IniNet Solutions GmbH recommends \nusing a managed infrastructure to do so.", "supportingMedia": [{"type": "text/html", "value": "IniNet Solutions reminds users that the webserver is designed to be used\n in a protected environment. IniNet Solutions GmbH recommends that users\n never connect control system software directly to the Internet. If a \nuser must connect to the Internet, IniNet Solutions GmbH recommends \nusing a managed infrastructure to do so.\n\n<br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "SpiderControl SCADA Web Server has a vulnerability that could allow an \nattacker to upload specially crafted malicious files without \nauthentication.", "supportingMedia": [{"type": "text/html", "value": "SpiderControl SCADA Web Server has a vulnerability that could allow an \nattacker to upload specially crafted malicious files without \nauthentication.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-09-10T19:44:18.096Z"}}}, "cveMetadata": {"cveId": "CVE-2024-8232", "state": "PUBLISHED", "dateUpdated": "2024-09-12T13:36:10.295Z", "dateReserved": "2024-08-27T13:40:41.730Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2024-09-10T19:44:18.096Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SpiderControl SCADA Web Server has a vulnerability that could allow an \nattacker to upload specially crafted malicious files without \nauthentication."}, {"lang": "es", "value": "El servidor web SpiderControl SCADA tiene una vulnerabilidad que podr\u00eda permitir a un atacante cargar archivos maliciosos especialmente manipulados sin autenticaci\u00f3n."}], "id": "CVE-2024-8232", "lastModified": "2024-09-11T16:26:11.920", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "NONE", "vulnerableSystemConfidentiality": "NONE", "vulnerableSystemIntegrity": "HIGH"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2024-09-10T20:15:05.060", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-254-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}