Multiple vulnerabilities in AVEVA Reports for Operations

Published: 2024-08-22

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2024-6618 CVE-2024-6619
CWE-ID	CWE-22 CWE-732
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	AVEVA Reports for Operations Other software / Other software solutions
Vendor	AVEVA Software, LLC.

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Path traversal

EUVDB-ID: #VU96457

Risk: Medium

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-6618

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can inject malicious DLL file and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

AVEVA Reports for Operations: 2023

CPE2.3

External links

http://www.cisa.gov/news-events/ics-advisories/icsa-24-226-08

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Incorrect permission assignment for critical resource

EUVDB-ID: #VU96458

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-6619

CWE-ID: CWE-732 - Incorrect Permission Assignment for Critical Resource