Lucene search

[email protected]NVD:CVE-2024-37038

HistoryJun 12, 2024 - 5:15 p.m.

CVE-2024-37038

2024-06-1217:15:51

CWE-276

[email protected]

web.nvd.nist.gov

cve-2024-37038

incorrect default permissions

authenticated user

device web interface

unauthorized file uploads

firmware uploads

custom web requests

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

19.8%

JSON

CWE-276: Incorrect Default Permissions vulnerability exists that could allow an authenticated
user with access to the device’s web interface to perform unauthorized file and firmware
uploads when crafting custom web requests.

Affected configurations

Nvd

Node

schneider-electricsage_rtu_firmwareRange<c3414-500-s02k5_p9

AND

schneider-electricsage_1410Match-

schneider-electricsage_1430Match-

schneider-electricsage_1450Match-

schneider-electricsage_2400Match-

schneider-electricsage_3030_magnumMatch-

schneider-electricsage_4400Match-

VendorProductVersionCPE
schneider-electricsage_rtu_firmware*cpe:2.3:o:schneider-electric:sage_rtu_firmware:*:*:*:*:*:*:*:*
schneider-electricsage_1410-cpe:2.3:h:schneider-electric:sage_1410:-:*:*:*:*:*:*:*
schneider-electricsage_1430-cpe:2.3:h:schneider-electric:sage_1430:-:*:*:*:*:*:*:*
schneider-electricsage_1450-cpe:2.3:h:schneider-electric:sage_1450:-:*:*:*:*:*:*:*
schneider-electricsage_2400-cpe:2.3:h:schneider-electric:sage_2400:-:*:*:*:*:*:*:*
schneider-electricsage_3030_magnum-cpe:2.3:h:schneider-electric:sage_3030_magnum:-:*:*:*:*:*:*:*
schneider-electricsage_4400-cpe:2.3:h:schneider-electric:sage_4400:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
schneider-electric	sage_rtu_firmware	*	cpe:2.3:o:schneider-electric:sage_rtu_firmware::::::::
schneider-electric	sage_1410	-	cpe:2.3:h:schneider-electric:sage_1410:-:::::::*
schneider-electric	sage_1430	-	cpe:2.3:h:schneider-electric:sage_1430:-:::::::*
schneider-electric	sage_1450	-	cpe:2.3:h:schneider-electric:sage_1450:-:::::::*
schneider-electric	sage_2400	-	cpe:2.3:h:schneider-electric:sage_2400:-:::::::*
schneider-electric	sage_3030_magnum	-	cpe:2.3:h:schneider-electric:sage_3030_magnum:-:::::::*
schneider-electric	sage_4400	-	cpe:2.3:h:schneider-electric:sage_4400:-:::::::*

References

download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-05.pdf

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

19.8%

JSON

Related for NVD:CVE-2024-37038

cve1 cvelist1 vulnrichment1