cvelist/2023/24xxx/CVE-2023-24584.json

{
    "data_version": "4.0",
    "data_type": "CVE",
    "data_format": "MITRE",
    "CVE_data_meta": {
        "ID": "CVE-2023-24584",
        "ASSIGNER": "disclosures@gallagher.com",
        "STATE": "PUBLIC"
    },
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "\nController 6000 is vulnerable to a buffer overflow via the Controller diagnostic web interface upload feature. \n\n\n\n\nThis issue affects Controller 6000: before vCR8.80.230201a, before vCR8.70.230201a, before vCR8.60.230201b, before vCR8.50.230201a,\u00a0all versions of vCR8.40 and prior.\n\n"
            }
        ]
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')",
                        "cweId": "CWE-120"
                    }
                ]
            }
        ]
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "vendor_name": "Gallagher",
                    "product": {
                        "product_data": [
                            {
                                "product_name": "Controller 6000",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "<",
                                            "version_name": "0",
                                            "version_value": "vCR8.80.230201a"
                                        }
                                    ]
                                }
                            }
                        ]
                    }
                }
            ]
        }
    },
    "references": {
        "reference_data": [
            {
                "url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2023-24584",
                "refsource": "MISC",
                "name": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2023-24584"
            }
        ]
    },
    "generator": {
        "engine": "Vulnogram 0.1.0-dev"
    },
    "source": {
        "discovery": "UNKNOWN"
    },
    "work_around": [
        {
            "lang": "en",
            "value": "\nEnsure dipswitch 1 is turned off on all Controllers and the option, \"Dipswitch 1 controls the diagnostic web interface\", is not checked in Configuration Client on Controller property pages. Do not use the Controller override, \"Enable WWW Connections\". Refer to the Gallagher Command Centre Hardening Guide for more details.\n\n\n",
            "supportingMedia": [
                {
                    "type": "text/html",
                    "base64": false,
                    "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Ensure dipswitch 1 is turned off on all Controllers and the option, \"Dipswitch 1 controls the diagnostic web interface\", is not checked in Configuration Client on Controller property pages. Do not use the Controller override, \"Enable WWW Connections\". Refer to the Gallagher Command Centre Hardening Guide for more details.</span>\n\n<br>"
                }
            ]
        }
    ],
    "impact": {
        "cvss": [
            {
                "version": "3.1",
                "attackVector": "NETWORK",
                "attackComplexity": "HIGH",
                "privilegesRequired": "NONE",
                "userInteraction": "REQUIRED",
                "scope": "UNCHANGED",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "availabilityImpact": "HIGH",
                "baseSeverity": "HIGH",
                "baseScore": 7.5,
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"
            }
        ]
    }
}
"-Synchronized-Data." 2023-02-03 21:00:38 +00:00			`{`
"-Synchronized-Data." 2023-06-01 05:00:37 +00:00			`"data_version": "4.0",`
"-Synchronized-Data." 2023-02-03 21:00:38 +00:00			`"data_type": "CVE",`
			`"data_format": "MITRE",`
			`"CVE_data_meta": {`
			`"ID": "CVE-2023-24584",`
"-Synchronized-Data." 2023-06-01 05:00:37 +00:00			`"ASSIGNER": "disclosures@gallagher.com",`
			`"STATE": "PUBLIC"`
"-Synchronized-Data." 2023-02-03 21:00:38 +00:00			`},`
			`"description": {`
			`"description_data": [`
			`{`
			`"lang": "eng",`
"-Synchronized-Data." 2023-06-01 05:00:37 +00:00			`"value": "\nController 6000 is vulnerable to a buffer overflow via the Controller diagnostic web interface upload feature. \n\n\n\n\nThis issue affects Controller 6000: before vCR8.80.230201a, before vCR8.70.230201a, before vCR8.60.230201b, before vCR8.50.230201a,\u00a0all versions of vCR8.40 and prior.\n\n"`
			`}`
			`]`
			`},`
			`"problemtype": {`
			`"problemtype_data": [`
			`{`
			`"description": [`
			`{`
			`"lang": "eng",`
			`"value": "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')",`
			`"cweId": "CWE-120"`
			`}`
			`]`
			`}`
			`]`
			`},`
			`"affects": {`
			`"vendor": {`
			`"vendor_data": [`
			`{`
			`"vendor_name": "Gallagher",`
			`"product": {`
			`"product_data": [`
			`{`
			`"product_name": "Controller 6000",`
			`"version": {`
			`"version_data": [`
			`{`
			`"version_affected": "<",`
			`"version_name": "0",`
			`"version_value": "vCR8.80.230201a"`
			`}`
			`]`
			`}`
			`}`
			`]`
			`}`
			`}`
			`]`
			`}`
			`},`
			`"references": {`
			`"reference_data": [`
			`{`
			`"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2023-24584",`
			`"refsource": "MISC",`
			`"name": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2023-24584"`
			`}`
			`]`
			`},`
			`"generator": {`
			`"engine": "Vulnogram 0.1.0-dev"`
			`},`
			`"source": {`
			`"discovery": "UNKNOWN"`
			`},`
			`"work_around": [`
			`{`
			`"lang": "en",`
			`"value": "\nEnsure dipswitch 1 is turned off on all Controllers and the option, \"Dipswitch 1 controls the diagnostic web interface\", is not checked in Configuration Client on Controller property pages. Do not use the Controller override, \"Enable WWW Connections\". Refer to the Gallagher Command Centre Hardening Guide for more details.\n\n\n",`
			`"supportingMedia": [`
			`{`
			`"type": "text/html",`
			`"base64": false,`
			`"value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Ensure dipswitch 1 is turned off on all Controllers and the option, \"Dipswitch 1 controls the diagnostic web interface\", is not checked in Configuration Client on Controller property pages. Do not use the Controller override, \"Enable WWW Connections\". Refer to the Gallagher Command Centre Hardening Guide for more details.</span>\n\n<br>"`
			`}`
			`]`
			`}`
			`],`
			`"impact": {`
			`"cvss": [`
			`{`
			`"version": "3.1",`
			`"attackVector": "NETWORK",`
			`"attackComplexity": "HIGH",`
			`"privilegesRequired": "NONE",`
			`"userInteraction": "REQUIRED",`
			`"scope": "UNCHANGED",`
			`"confidentialityImpact": "HIGH",`
			`"integrityImpact": "HIGH",`
			`"availabilityImpact": "HIGH",`
			`"baseSeverity": "HIGH",`
			`"baseScore": 7.5,`
			`"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"`
"-Synchronized-Data." 2023-02-03 21:00:38 +00:00			`}`
			`]`
			`}`
			`}`