CVE-2024-23317 - Vulnerability Details - OpenCVE

External Control of File Name or Path (CWE-73) in the Controller 6000 and Controller 7000 allows an attacker with local access to the Controller to perform arbitrary code execution. This issue affects: 9.10 prior to vCR9.10.240520a (distributed in 9.10.1268(MR1)), 9.00 prior to vCR9.00.240521a (distributed in 9.00.1990(MR3)), 8.90 prior to vCR8.90.240520a (distributed in 8.90.1947 (MR4)), 8.80 prior to vCR8.80.240520a (distributed in 8.80.1726 (MR5)), 8.70 prior to vCR8.70.240520a (distributed in 8.70.2824 (MR7)), all versions of 8.60 and prior.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://security.gallagher.com/Security-Advisories/CVE-2024-23317

History

No history.

MITRE

Status: PUBLISHED

Assigner: Gallagher

Published: 2024-07-11T02:39:28.129Z

Updated: 2024-08-01T22:59:32.128Z

Reserved: 2024-02-05T04:16:47.971Z

Link: CVE-2024-23317

Vulnrichment

Updated: 2024-08-01T22:59:32.128Z

NVD

Status : Awaiting Analysis

Published: 2024-07-11T03:15:03.130

Modified: 2024-11-21T08:57:29.543

Link: CVE-2024-23317

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23317", "assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc", "state": "PUBLISHED", "assignerShortName": "Gallagher", "dateReserved": "2024-02-05T04:16:47.971Z", "datePublished": "2024-07-11T02:39:28.129Z", "dateUpdated": "2024-08-01T22:59:32.128Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Controller 6000 and Controller 7000", "vendor": "Gallagher", "versions": [{"lessThan": "8.60", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThanOrEqual": "vCR9.10.240520a", "status": "affected", "version": "9.10", "versionType": "custom"}, {"lessThanOrEqual": "vCR9.00.240521a", "status": "affected", "version": "9.00", "versionType": "custom"}, {"lessThanOrEqual": "vCR8.90.240520a", "status": "affected", "version": "8.90", "versionType": "custom"}, {"lessThanOrEqual": "vCR8.80.240520a", "status": "affected", "version": "8.80", "versionType": "custom"}, {"lessThanOrEqual": "vCR8.70.240520a", "status": "affected", "version": "8.70", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<p>External Control of File Name or Path (CWE-73) in the Controller 6000 and Controller 7000 allows an attacker with local access to the Controller to perform arbitrary code execution. </p><p><b>This issue affects:</b> 9.10 prior to vCR9.10.240520a (distributed in 9.10.1268(MR1)), 9.00 prior to vCR9.00.240521a (distributed in 9.00.1990(MR3)), 8.90 prior to vCR8.90.240520a (distributed in 8.90.1947 (MR4)), 8.80 prior to vCR8.80.240520a (distributed in 8.80.1726 (MR5)), 8.70 prior to vCR8.70.240520a (distributed in 8.70.2824 (MR7)), all versions of 8.60 and prior.</p>\n\n<p></p>"}], "value": "External Control of File Name or Path (CWE-73) in the Controller 6000 and Controller 7000 allows an attacker with local access to the Controller to perform arbitrary code execution. \n\nThis issue affects:\u00a09.10 prior to vCR9.10.240520a (distributed in 9.10.1268(MR1)), 9.00 prior to vCR9.00.240521a (distributed in 9.00.1990(MR3)), 8.90 prior to vCR8.90.240520a (distributed in 8.90.1947 (MR4)), 8.80 prior to vCR8.80.240520a (distributed in 8.80.1726 (MR5)), 8.70 prior to vCR8.70.240520a (distributed in 8.70.2824 (MR7)), all versions of 8.60 and prior."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-73", "description": "CWE-73 External Control of File Name or Path", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc", "shortName": "Gallagher", "dateUpdated": "2024-07-11T02:39:28.129Z"}, "references": [{"url": "https://security.gallagher.com/Security-Advisories/CVE-2024-23317"}], "source": {"discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "gallagher", "product": "controller_6000_firmware", "cpes": ["cpe:2.3:o:gallagher:controller_6000_firmware:-:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "8.60", "versionType": "custom"}]}, {"vendor": "gallagher", "product": "controller_6000_firmware", "cpes": ["cpe:2.3:o:gallagher:controller_6000_firmware:8.70:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "8.70", "status": "affected", "lessThan": "8.70.240520a", "versionType": "custom"}]}, {"vendor": "gallagher", "product": "controller_6000_firmware", "cpes": ["cpe:2.3:o:gallagher:controller_6000_firmware:8.80:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "8.80", "status": "affected", "lessThan": "8.80.240520a", "versionType": "custom"}]}, {"vendor": "gallagher", "product": "controller_6000_firmware", "cpes": ["cpe:2.3:o:gallagher:controller_6000_firmware:8.90:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "8.90", "status": "affected", "lessThan": "8.90.240520a", "versionType": "custom"}]}, {"vendor": "gallagher", "product": "controller_6000_firmware", "cpes": ["cpe:2.3:o:gallagher:controller_6000_firmware:9.00:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "9.00", "status": "affected", "lessThan": "9.00.240521a", "versionType": "custom"}]}, {"vendor": "gallagher", "product": "controller_6000_firmware", "cpes": ["cpe:2.3:o:gallagher:controller_6000_firmware:9.10:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "9.10", "status": "affected", "lessThan": "9.10.240520a", "versionType": "custom"}]}, {"vendor": "gallagher", "product": "controller_7000_firmware", "cpes": ["cpe:2.3:o:gallagher:controller_7000_firmware:*:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "8.60", "versionType": "custom"}]}, {"vendor": "gallagher", "product": "controller_7000_firmware", "cpes": ["cpe:2.3:o:gallagher:controller_7000_firmware:8.70:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "8.70", "status": "affected", "lessThan": "8.70.240520a", "versionType": "custom"}]}, {"vendor": "gallagher", "product": "controller_7000_firmware", "cpes": ["cpe:2.3:o:gallagher:controller_7000_firmware:8.80:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "8.80", "status": "affected", "lessThan": "8.80.240520a", "versionType": "custom"}]}, {"vendor": "gallagher", "product": "controller_7000_firmware", "cpes": ["cpe:2.3:o:gallagher:controller_7000_firmware:8.90:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "8.90", "status": "affected", "lessThan": "8.90.240520a", "versionType": "custom"}]}, {"vendor": "gallagher", "product": "controller_7000_firmware", "cpes": ["cpe:2.3:o:gallagher:controller_7000_firmware:9.00:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "9.00", "status": "affected", "lessThan": "9.00.240521a", "versionType": "custom"}]}, {"vendor": "gallagher", "product": "controller_7000_firmware", "cpes": ["cpe:2.3:o:gallagher:controller_7000_firmware:9.10:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "9.10", "status": "affected", "lessThan": "9.10.240520a", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-11T14:25:33.804644Z", "id": "CVE-2024-23317", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-12T15:48:05.316Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:59:32.128Z"}, "title": "CVE Program Container", "references": [{"url": "https://security.gallagher.com/Security-Advisories/CVE-2024-23317", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.gallagher.com/Security-Advisories/CVE-2024-23317", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:59:32.128Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-23317", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-11T14:25:33.804644Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:gallagher:controller_6000_firmware:-:*:*:*:*:*:*:*"], "vendor": "gallagher", "product": "controller_6000_firmware", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "8.60"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:o:gallagher:controller_6000_firmware:8.70:*:*:*:*:*:*:*"], "vendor": "gallagher", "product": "controller_6000_firmware", "versions": [{"status": "affected", "version": "8.70", "lessThan": "8.70.240520a", "versionType": "custom"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:o:gallagher:controller_6000_firmware:8.80:*:*:*:*:*:*:*"], "vendor": "gallagher", "product": "controller_6000_firmware", "versions": [{"status": "affected", "version": "8.80", "lessThan": "8.80.240520a", "versionType": "custom"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:o:gallagher:controller_6000_firmware:8.90:*:*:*:*:*:*:*"], "vendor": "gallagher", "product": "controller_6000_firmware", "versions": [{"status": "affected", "version": "8.90", "lessThan": "8.90.240520a", "versionType": "custom"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:o:gallagher:controller_6000_firmware:9.00:*:*:*:*:*:*:*"], "vendor": "gallagher", "product": "controller_6000_firmware", "versions": [{"status": "affected", "version": "9.00", "lessThan": "9.00.240521a", "versionType": "custom"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:o:gallagher:controller_6000_firmware:9.10:*:*:*:*:*:*:*"], "vendor": "gallagher", "product": "controller_6000_firmware", "versions": [{"status": "affected", "version": "9.10", "lessThan": "9.10.240520a", "versionType": "custom"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:o:gallagher:controller_7000_firmware:*:*:*:*:*:*:*:*"], "vendor": "gallagher", "product": "controller_7000_firmware", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "8.60"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:o:gallagher:controller_7000_firmware:8.70:*:*:*:*:*:*:*"], "vendor": "gallagher", "product": "controller_7000_firmware", "versions": [{"status": "affected", "version": "8.70", "lessThan": "8.70.240520a", "versionType": "custom"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:o:gallagher:controller_7000_firmware:8.80:*:*:*:*:*:*:*"], "vendor": "gallagher", "product": "controller_7000_firmware", "versions": [{"status": "affected", "version": "8.80", "lessThan": "8.80.240520a", "versionType": "custom"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:o:gallagher:controller_7000_firmware:8.90:*:*:*:*:*:*:*"], "vendor": "gallagher", "product": "controller_7000_firmware", "versions": [{"status": "affected", "version": "8.90", "lessThan": "8.90.240520a", "versionType": "custom"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:o:gallagher:controller_7000_firmware:9.00:*:*:*:*:*:*:*"], "vendor": "gallagher", "product": "controller_7000_firmware", "versions": [{"status": "affected", "version": "9.00", "lessThan": "9.00.240521a", "versionType": "custom"}], "defaultStatus": "affected"}, {"cpes": ["cpe:2.3:o:gallagher:controller_7000_firmware:9.10:*:*:*:*:*:*:*"], "vendor": "gallagher", "product": "controller_7000_firmware", "versions": [{"status": "affected", "version": "9.10", "lessThan": "9.10.240520a", "versionType": "custom"}], "defaultStatus": "affected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-11T15:13:33.413Z"}}], "cna": {"source": {"discovery": "INTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Gallagher", "product": "Controller 6000 and Controller 7000", "versions": [{"status": "affected", "version": "0", "lessThan": "8.60", "versionType": "custom"}, {"status": "affected", "version": "9.10", "versionType": "custom", "lessThanOrEqual": "vCR9.10.240520a"}, {"status": "affected", "version": "9.00", "versionType": "custom", "lessThanOrEqual": "vCR9.00.240521a"}, {"status": "affected", "version": "8.90", "versionType": "custom", "lessThanOrEqual": "vCR8.90.240520a"}, {"status": "affected", "version": "8.80", "versionType": "custom", "lessThanOrEqual": "vCR8.80.240520a"}, {"status": "affected", "version": "8.70", "versionType": "custom", "lessThanOrEqual": "vCR8.70.240520a"}], "defaultStatus": "affected"}], "references": [{"url": "https://security.gallagher.com/Security-Advisories/CVE-2024-23317"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "External Control of File Name or Path (CWE-73) in the Controller 6000 and Controller 7000 allows an attacker with local access to the Controller to perform arbitrary code execution. \n\nThis issue affects:\u00a09.10 prior to vCR9.10.240520a (distributed in 9.10.1268(MR1)), 9.00 prior to vCR9.00.240521a (distributed in 9.00.1990(MR3)), 8.90 prior to vCR8.90.240520a (distributed in 8.90.1947 (MR4)), 8.80 prior to vCR8.80.240520a (distributed in 8.80.1726 (MR5)), 8.70 prior to vCR8.70.240520a (distributed in 8.70.2824 (MR7)), all versions of 8.60 and prior.", "supportingMedia": [{"type": "text/html", "value": "\n\n<p>External Control of File Name or Path (CWE-73) in the Controller 6000 and Controller 7000 allows an attacker with local access to the Controller to perform arbitrary code execution. </p><p><b>This issue affects:</b> 9.10 prior to vCR9.10.240520a (distributed in 9.10.1268(MR1)), 9.00 prior to vCR9.00.240521a (distributed in 9.00.1990(MR3)), 8.90 prior to vCR8.90.240520a (distributed in 8.90.1947 (MR4)), 8.80 prior to vCR8.80.240520a (distributed in 8.80.1726 (MR5)), 8.70 prior to vCR8.70.240520a (distributed in 8.70.2824 (MR7)), all versions of 8.60 and prior.</p>\n\n<p></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73 External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc", "shortName": "Gallagher", "dateUpdated": "2024-07-11T02:39:28.129Z"}}}, "cveMetadata": {"cveId": "CVE-2024-23317", "state": "PUBLISHED", "dateUpdated": "2024-08-01T22:59:32.128Z", "dateReserved": "2024-02-05T04:16:47.971Z", "assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc", "datePublished": "2024-07-11T02:39:28.129Z", "assignerShortName": "Gallagher"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "External Control of File Name or Path (CWE-73) in the Controller 6000 and Controller 7000 allows an attacker with local access to the Controller to perform arbitrary code execution. \n\nThis issue affects:\u00a09.10 prior to vCR9.10.240520a (distributed in 9.10.1268(MR1)), 9.00 prior to vCR9.00.240521a (distributed in 9.00.1990(MR3)), 8.90 prior to vCR8.90.240520a (distributed in 8.90.1947 (MR4)), 8.80 prior to vCR8.80.240520a (distributed in 8.80.1726 (MR5)), 8.70 prior to vCR8.70.240520a (distributed in 8.70.2824 (MR7)), all versions of 8.60 and prior."}, {"lang": "es", "value": "El control externo del nombre o ruta del archivo (CWE-73) en el Controlador 6000 y el Controlador 7000 permite a un atacante con acceso local al Controlador realizar la ejecuci\u00f3n de c\u00f3digo arbitrario. Este problema afecta a: 9.10 anterior a vCR9.10.240520a (distribuido en 9.10.1268(MR1)), 9.00 anterior a vCR9.00.240521a (distribuido en 9.00.1990(MR3)), 8.90 anterior a vCR8.90.240520a (distribuido en 8.90.1947 (MR4)), 8.80 antes de vCR8.80.240520a (distribuido en 8.80.1726 (MR5)), 8.70 antes de vCR8.70.240520a (distribuido en 8.70.2824 (MR7)), todas las versiones de 8.60 y anteriores ."}], "id": "CVE-2024-23317", "lastModified": "2024-11-21T08:57:29.543", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.5, "source": "disclosures@gallagher.com", "type": "Secondary"}]}, "published": "2024-07-11T03:15:03.130", "references": [{"source": "disclosures@gallagher.com", "url": "https://security.gallagher.com/Security-Advisories/CVE-2024-23317"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gallagher.com/Security-Advisories/CVE-2024-23317"}], "sourceIdentifier": "disclosures@gallagher.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "disclosures@gallagher.com", "type": "Secondary"}]}