Lucene search

CERTVDEVULNRICHMENT:CVE-2024-5404

HistoryJun 03, 2024 - 9:00 a.m.

CVE-2024-5404 ifm: moneo prone to weak password recovery mechanism

2024-06-0309:00:55

CWE-640

CERTVDE

github.com

weak password recovery

remote attack

cve-2024-5404

moneo appliance

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

Low

EPSS

0.001

Percentile

39.1%

SSVC

Exploitation

none

Automatable

yes

Technical Impact

total

JSON

An unauthenticated remote attacker can change the admin password in a moneo appliance due to weak password recovery mechanism.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "moneo appliance QVA200",
    "vendor": "ifm",
    "versions": [
      {
        "lessThanOrEqual": "1.13",
        "status": "affected",
        "version": "0.0",
        "versionType": "semver"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "moneo appliance QHA210",
    "vendor": "ifm",
    "versions": [
      {
        "lessThanOrEqual": "1.13",
        "status": "affected",
        "version": "0.0",
        "versionType": "semver"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "moneo appliance QHA300",
    "vendor": "ifm",
    "versions": [
      {
        "lessThanOrEqual": "1.13",
        "status": "affected",
        "version": "0.0",
        "versionType": "semver"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "moneo for Micosoft Windows",
    "vendor": "ifm",
    "versions": [
      {
        "lessThanOrEqual": "1.13",
        "status": "affected",
        "version": "0.0",
        "versionType": "semver"
      }
    ]
  }
]

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:h:ifm:moneo_qha210:-:*:*:*:*:*:*:*"
    ],
    "vendor": "ifm",
    "product": "moneo_qha210",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "versionType": "custom",
        "lessThanOrEqual": "1.13"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "cpes": [
      "cpe:2.3:a:ifm:moneo_qha300:1.1.3:*:*:*:*:*:*:*"
    ],
    "vendor": "ifm",
    "product": "moneo_qha300",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "versionType": "custom",
        "lessThanOrEqual": "1.13"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "cpes": [
      "cpe:2.3:a:ifm:moneo_qva200:1.13:*:*:*:*:*:*:*"
    ],
    "vendor": "ifm",
    "product": "moneo_qva200",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "versionType": "custom",
        "lessThanOrEqual": "1.13"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "cpes": [
      "cpe:2.3:a:ifm:moneo_for_microsoft_windows:1.13:*:*:*:*:*:*:*"
    ],
    "vendor": "ifm",
    "product": "moneo_for_microsoft_windows",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "versionType": "custom",
        "lessThanOrEqual": "1.13"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

cert.vde.com/en/advisories/VDE-2024-028

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

Low

EPSS

0.001

Percentile

39.1%

SSVC

Exploitation

none

Automatable

yes

Technical Impact

total

JSON

Related for VULNRICHMENT:CVE-2024-5404