Lucene search

IcscertVULNRICHMENT:CVE-2024-3467

HistoryJun 12, 2024 - 9:04 p.m.

CVE-2024-3467 Deserialization of Untrusted Data in AVEVA PI Asset Framework Client

2024-06-1221:04:26

CWE-502

icscert

github.com

cve-2024-3467

deserialization

untrusted data

aveva pi

asset framework client

malicious code

executio

pi system explorer

interactive user

social engineering

xml

CVSS4

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

ACTIVE

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/SC:N/VI:H/SI:N/VA:H/SA:N

AI Score

7.5

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

There is a vulnerability in AVEVA PI Asset Framework Client that could allow malicious code to execute on the PI System Explorer environment under the privileges of an interactive user that was socially engineered to import XML supplied by an attacker.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:aveva:pi_asset_framework_client:2023:*:*:*:*:*:*:*"
    ],
    "vendor": "aveva",
    "product": "pi_asset_framework_client",
    "versions": [
      {
        "status": "affected",
        "version": "2023"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "cpes": [
      "cpe:2.3:a:aveva:pi_asset_framework_client:*:*:*:*:*:*:*:*"
    ],
    "vendor": "aveva",
    "product": "pi_asset_framework_client",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "versionType": "custom",
        "lessThanOrEqual": "2018"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

www.cisa.gov/news-events/ics-advisories/icsa-24-163-03