CVE-2024-2882
Alerte pour un CVE
Descriptions
Missing Authorization in SDG Technologies PnPSCADA
SDG Technologies PnPSCADA allows a remote attacker to attach various entities without requiring system authentication. This breach could potentially lead to unauthorized control, data manipulation, and access to sensitive information within the SCADA system.Solutions
Informations
Faiblesses connexes
| Nom de la faiblesse | Source | |
|---|---|---|
| Missing Authorization The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Metrics
| Metric | Score | Sévérité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V4.0 | 9.3 | CRITICAL |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
More informations
Base: Exploitabilty MetricsThe Exploitability metrics reflect the characteristics of the “thing that is vulnerable”, which we refer to formally as the vulnerable system. Attack VectorThis metric reflects the context by which vulnerability exploitation is possible. Network The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). Attack ComplexityThis metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. Low The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. Attack RequirementsThis metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. None The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability. Privileges RequiredThis metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. None The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack. User InteractionThis metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. None The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges Base: Impact MetricsThe Impact metrics capture the effects of a successfully exploited vulnerability. Analysts should constrain impacts to a reasonable, final outcome which they are confident an attacker is able to achieve. Confidentiality ImpactThis metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. High There is a total loss of confidentiality, resulting in all information within the Vulnerable System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server. Integrity ImpactThis metric measures the impact to integrity of a successfully exploited vulnerability. High There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Vulnerable System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Vulnerable System. Availability ImpactThis metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability. None There is no impact to availability within the Vulnerable System. Sub Confidentiality ImpactNegligible There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System. Sub Integrity ImpactNone There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System. Sub Availability ImpactNone There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System. Threat MetricsThe Threat metrics measure the current state of exploit techniques or code availability for a vulnerability. Environmental MetricsThese metrics enable the consumer analyst to customize the resulting score depending on the importance of the affected IT asset to a user’s organization, measured in terms of complementary/alternative security controls in place, Confidentiality, Integrity, and Availability. The metrics are the modified equivalent of Base metrics and are assigned values based on the system placement within organizational infrastructure. Supplemental MetricsSupplemental metric group provides new metrics that describe and measure additional extrinsic attributes of a vulnerability. While the assessment of Supplemental metrics is provisioned by the provider, the usage and response plan of each metric within the Supplemental metric group is determined by the consumer. |
