Skip to content

Commit

Permalink
Merge pull request #5 from DIVD-NL/CVE-2024-20380
Browse files Browse the repository at this point in the history 
First draf of CVE-2024-20380
  • Loading branch information
@MrSeccubus
MrSeccubus authored Jan 16, 2024
2 parents a748798 + 2375d79 commit b8cfe23
Show file tree
Hide file tree
Showing 2 changed files with 135 additions and 15 deletions.
135 changes: 135 additions & 0 deletions records/2024/CVE-2024-20380.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,135 @@
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "AK-EM100",
"vendor": "Danfoss",
"versions": [
{
"status": "affected",
"version": "< 2.2.0.12"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jony Schats (Hackdefense)"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Stan Plasmeijer (Hackdefense)"
},
{
"lang": "en",
"type": "analyst",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Max van der Horst (DIVD)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Danfoss AK-EM100 web applications allow for OS command injection through the web application parameters."
}
],
"value": "The Danfoss AK-EM100 web applications allow for OS command injection through the web application parameters."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-12T15:46:00.000Z",
"orgId": "00000000-0000-4000-9000-000000000000",
"shortName": "DIVD"
},
"references": [
{
"url": "https://divd.nl/cves/CVE-2024-20362",
"tags" : [ "third-party-advisory"]
},
{
"url": "https://csirt.divd.nl/DIVD-2023-00021",
"tags" : [ "third-party-advisory"]
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OS Command Injection in Danfoss AK-EM100",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The AK-EM100 has been declared End of Life (EOL). Danfoss advises phasing out this type of device."
}
],
"value": "The AK-EM100 has been declared End of Life (EOL). Danfoss advises phasing out this type of device."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"assignerShortName": "DIVD",
"cveId": "CVE-2024-20380",
"datePublished": "2024-01-12T15:46:00.000Z",
"dateReserved": "2024-01-12T14:54:00.000Z",
"dateUpdated": "2024-01-12T15:46:00.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.0"
}
15 changes: 0 additions & 15 deletions records/reservations/2024/CVE-2024-20380.json
View file

This file was deleted.

0 comments on commit b8cfe23

Please sign in to comment.