CVE-2024-31486

A vulnerability has been identified in OPUPI0 AMQP/MQTT (All versions < V5.30). The affected devices stores MQTT client passwords without sufficient protection on the devices. An attacker with remote shell access or physical access could retrieve the credentials leading to confidentiality loss.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.6 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://seclists.org/fulldisclosure/2024/Jul/4
https://cert-portal.siemens.com/productcert/html/ssa-871704.html
http://seclists.org/fulldisclosure/2024/Jul/4
https://cert-portal.siemens.com/productcert/html/ssa-871704.html

Configurations

No configuration.

History

21 Nov 2024, 09:13

Type	Values Removed	Values Added
References	~~() http://seclists.org/fulldisclosure/2024/Jul/4 -~~	() http://seclists.org/fulldisclosure/2024/Jul/4 -
References	~~() https://cert-portal.siemens.com/productcert/html/ssa-871704.html -~~	() https://cert-portal.siemens.com/productcert/html/ssa-871704.html -

04 Jul 2024, 07:15

Type	Values Removed	Values Added
References		() http://seclists.org/fulldisclosure/2024/Jul/4 -

14 May 2024, 19:18

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-05-14 16:16

Updated : 2024-11-21 09:13

NVD link : CVE-2024-31486

Mitre link : CVE-2024-31486

CVE.ORG link : CVE-2024-31486

JSON object : View

Products Affected

No product.

CWE

CWE-312

Cleartext Storage of Sensitive Information

{"id": "CVE-2024-31486", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "productcert@siemens.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.6}], "cvssMetricV40": [{"type": "Secondary", "source": "productcert@siemens.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 6.0, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "NONE", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "HIGH", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-05-14T16:16:51.723", "references": [{"url": "http://seclists.org/fulldisclosure/2024/Jul/4", "source": "productcert@siemens.com"}, {"url": "https://cert-portal.siemens.com/productcert/html/ssa-871704.html", "source": "productcert@siemens.com"}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/4", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://cert-portal.siemens.com/productcert/html/ssa-871704.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "productcert@siemens.com", "description": [{"lang": "en", "value": "CWE-312"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in OPUPI0 AMQP/MQTT (All versions < V5.30). The affected devices stores MQTT client passwords without sufficient protection on the devices. An attacker with remote shell access or physical access could retrieve the credentials leading to confidentiality loss."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en OPUPI0 AMQP/MQTT (Todas las versiones < V5.30). Los dispositivos afectados almacenan contrase\u00f1as de clientes MQTT sin suficiente protecci\u00f3n en los dispositivos. Un atacante con acceso remoto al shell o acceso f\u00edsico podr\u00eda recuperar las credenciales, lo que provocar\u00eda una p\u00e9rdida de confidencialidad."}], "lastModified": "2024-11-21T09:13:37.750", "sourceIdentifier": "productcert@siemens.com"}