mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-07-30 18:04:30 +00:00
133 lines
4.8 KiB
JSON
133 lines
4.8 KiB
JSON
{
|
|
"data_version": "4.0",
|
|
"data_type": "CVE",
|
|
"data_format": "MITRE",
|
|
"CVE_data_meta": {
|
|
"ID": "CVE-2024-9054",
|
|
"ASSIGNER": "psirt@microchip.com",
|
|
"STATE": "PUBLIC"
|
|
},
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Microchip TimeProvider 4100 (Configuration modules) allows Command Injection.This issue affects TimeProvider 4100: from 1.0 before 2.4.7."
|
|
}
|
|
]
|
|
},
|
|
"problemtype": {
|
|
"problemtype_data": [
|
|
{
|
|
"description": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
|
|
"cweId": "CWE-78"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"description": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
|
|
"cweId": "CWE-200"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"affects": {
|
|
"vendor": {
|
|
"vendor_data": [
|
|
{
|
|
"vendor_name": "Microchip",
|
|
"product": {
|
|
"product_data": [
|
|
{
|
|
"product_name": "TimeProvider 4100",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "<",
|
|
"version_name": "1.0",
|
|
"version_value": "2.4.7"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"references": {
|
|
"reference_data": [
|
|
{
|
|
"url": "https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-rce-through-configuration-file",
|
|
"refsource": "MISC",
|
|
"name": "https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-rce-through-configuration-file"
|
|
},
|
|
{
|
|
"url": "https://www.gruppotim.it/it/footer/red-team.html",
|
|
"refsource": "MISC",
|
|
"name": "https://www.gruppotim.it/it/footer/red-team.html"
|
|
}
|
|
]
|
|
},
|
|
"generator": {
|
|
"engine": "Vulnogram 0.2.0"
|
|
},
|
|
"source": {
|
|
"advisory": "PSIRT-82",
|
|
"discovery": "EXTERNAL"
|
|
},
|
|
"work_around": [
|
|
{
|
|
"lang": "en",
|
|
"supportingMedia": [
|
|
{
|
|
"base64": false,
|
|
"type": "text/html",
|
|
"value": "<div><div>It is important to note that the web interface is only available on a physically separate management port, and these vulnerabilities have no impact on the timing service ports. For added security, users have the option to disable the web interface, further protecting the device from potential web-based exploits.</div></div>\n\n<br>"
|
|
}
|
|
],
|
|
"value": "It is important to note that the web interface is only available on a physically separate management port, and these vulnerabilities have no impact on the timing service ports. For added security, users have the option to disable the web interface, further protecting the device from potential web-based exploits."
|
|
}
|
|
],
|
|
"credits": [
|
|
{
|
|
"lang": "en",
|
|
"value": "Armando Huesca Prida"
|
|
},
|
|
{
|
|
"lang": "en",
|
|
"value": "Marco Negro"
|
|
},
|
|
{
|
|
"lang": "en",
|
|
"value": "Antonio Carriero"
|
|
},
|
|
{
|
|
"lang": "en",
|
|
"value": "Vito Pistillo"
|
|
},
|
|
{
|
|
"lang": "en",
|
|
"value": "Davide Renna"
|
|
},
|
|
{
|
|
"lang": "en",
|
|
"value": "Manuel Leone"
|
|
},
|
|
{
|
|
"lang": "en",
|
|
"value": "Massimiliano Brolli"
|
|
},
|
|
{
|
|
"lang": "en",
|
|
"value": "TIM Security Red Team Research"
|
|
}
|
|
]
|
|
} |