Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for SICK Incoming Goods Suite by SICK AG

    CVE-2024-11075 (GCVE-0-2024-11075)

    Vulnerability from nvd – Published: 2024-11-19 13:13 – Updated: 2024-11-19 14:13
    VLAI
    Title
    SICK Incoming Goods Suite privilege escalation vulnerability
    Summary
    A vulnerability in the Incoming Goods Suite allows a user with unprivileged access to the underlying system (e.g. local or via SSH) a privilege escalation to the administrative level due to the usage of component vendor Docker images running with root permissions. Exploiting this misconfiguration leads to the fact that an attacker can gain administrative control. over the whole system.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-250 - Execution with Unnecessary Privileges
    Assigner
    References
    URL Tags
    https://sick.com/psirt x_SICK PSIRT Website
    https://cdn.sick.com/media/docs/1/11/411/Special_… x_SICK Operating Guidelines
    https://www.cisa.gov/resources-tools/resources/ic… x_ICS-CERT recommended practices on Industrial Security
    https://www.first.org/cvss/calculator/3.1 x_CVSS v3.1 Calculator
    https://www.sick.com/.well-known/csaf/white/2024/… vendor-advisory
    https://www.sick.com/.well-known/csaf/white/2024/… vendor-advisoryx_csaf
    Impacted products
    Vendor Product Version
    SICK AG SICK Incoming Goods Suite Affected: 1.0.0
    Create a notification for this product.
    sick_ag incoming_goods_suite Affected: 1.0.0
        cpe:2.3:a:sick_ag:incoming_goods_suite:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-11-18 23:32
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:sick_ag:incoming_goods_suite:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "incoming_goods_suite",
                "vendor": "sick_ag",
                "versions": [
                  {
                    "status": "affected",
                    "version": "1.0.0"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-11075",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-19T14:11:17.363737Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-19T14:13:07.706Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SICK Incoming Goods Suite",
              "vendor": "SICK AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0"
                }
              ]
            }
          ],
          "datePublic": "2024-11-18T23:32:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A vulnerability in the Incoming Goods Suite allows a user with unprivileged access to the underlying system (e.g. local or via SSH) a privilege escalation to the administrative level due to the usage of component vendor Docker images running with root permissions. Exploiting this misconfiguration leads to the fact that an attacker can gain administrative control. over the whole system.\n\n\u003cp\u003e\u003c/p\u003e"
                }
              ],
              "value": "A vulnerability in the Incoming Goods Suite allows a user with unprivileged access to the underlying system (e.g. local or via SSH) a privilege escalation to the administrative level due to the usage of component vendor Docker images running with root permissions. Exploiting this misconfiguration leads to the fact that an attacker can gain administrative control. over the whole system."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-250",
                  "description": "CWE-250 Execution with Unnecessary Privileges",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-19T13:13:00.565Z",
            "orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
            "shortName": "SICK AG"
          },
          "references": [
            {
              "tags": [
                "x_SICK PSIRT Website"
              ],
              "url": "https://sick.com/psirt"
            },
            {
              "tags": [
                "x_SICK Operating Guidelines"
              ],
              "url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
            },
            {
              "tags": [
                "x_ICS-CERT recommended practices on Industrial Security"
              ],
              "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
            },
            {
              "tags": [
                "x_CVSS v3.1 Calculator"
              ],
              "url": "https://www.first.org/cvss/calculator/3.1"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2024/sca-2024-0005.pdf"
            },
            {
              "tags": [
                "vendor-advisory",
                "x_csaf"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2024/sca-2024-0005.json"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eCustomers are strongly recommended to upgrade to the latest release 1.1.0. In addition, we recommend running the Docker daemon and container runtime in rootless mode. It is necessary to set the DOCKER_USER_ID and the DOCKER_GROUP_ID in the environment. Then the Docker socket can run as a non-root user when setting the path DOCKER_SOCKET_PATH=/run/user/${DOCKER_USER_ID}/docker.sock.\u003c/div\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "Customers are strongly recommended to upgrade to the latest release 1.1.0. In addition, we recommend running the Docker daemon and container runtime in rootless mode. It is necessary to set the DOCKER_USER_ID and the DOCKER_GROUP_ID in the environment. Then the Docker socket can run as a non-root user when setting the path DOCKER_SOCKET_PATH=/run/user/${DOCKER_USER_ID}/docker.sock."
            }
          ],
          "source": {
            "advisory": "sca-2024-0005",
            "discovery": "INTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2024-11-19T12:44:00.000Z",
              "value": "1: Inital version"
            }
          ],
          "title": "SICK Incoming Goods Suite privilege escalation vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
        "assignerShortName": "SICK AG",
        "cveId": "CVE-2024-11075",
        "datePublished": "2024-11-19T13:13:00.565Z",
        "dateReserved": "2024-11-11T09:08:53.239Z",
        "dateUpdated": "2024-11-19T14:13:07.706Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-11075 (GCVE-0-2024-11075)

    Vulnerability from cvelistv5 – Published: 2024-11-19 13:13 – Updated: 2024-11-19 14:13
    VLAI
    Title
    SICK Incoming Goods Suite privilege escalation vulnerability
    Summary
    A vulnerability in the Incoming Goods Suite allows a user with unprivileged access to the underlying system (e.g. local or via SSH) a privilege escalation to the administrative level due to the usage of component vendor Docker images running with root permissions. Exploiting this misconfiguration leads to the fact that an attacker can gain administrative control. over the whole system.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-250 - Execution with Unnecessary Privileges
    Assigner
    References
    URL Tags
    https://sick.com/psirt x_SICK PSIRT Website
    https://cdn.sick.com/media/docs/1/11/411/Special_… x_SICK Operating Guidelines
    https://www.cisa.gov/resources-tools/resources/ic… x_ICS-CERT recommended practices on Industrial Security
    https://www.first.org/cvss/calculator/3.1 x_CVSS v3.1 Calculator
    https://www.sick.com/.well-known/csaf/white/2024/… vendor-advisory
    https://www.sick.com/.well-known/csaf/white/2024/… vendor-advisoryx_csaf
    Impacted products
    Vendor Product Version
    SICK AG SICK Incoming Goods Suite Affected: 1.0.0
    Create a notification for this product.
    sick_ag incoming_goods_suite Affected: 1.0.0
        cpe:2.3:a:sick_ag:incoming_goods_suite:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-11-18 23:32
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:sick_ag:incoming_goods_suite:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "incoming_goods_suite",
                "vendor": "sick_ag",
                "versions": [
                  {
                    "status": "affected",
                    "version": "1.0.0"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-11075",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-19T14:11:17.363737Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-19T14:13:07.706Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SICK Incoming Goods Suite",
              "vendor": "SICK AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0"
                }
              ]
            }
          ],
          "datePublic": "2024-11-18T23:32:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A vulnerability in the Incoming Goods Suite allows a user with unprivileged access to the underlying system (e.g. local or via SSH) a privilege escalation to the administrative level due to the usage of component vendor Docker images running with root permissions. Exploiting this misconfiguration leads to the fact that an attacker can gain administrative control. over the whole system.\n\n\u003cp\u003e\u003c/p\u003e"
                }
              ],
              "value": "A vulnerability in the Incoming Goods Suite allows a user with unprivileged access to the underlying system (e.g. local or via SSH) a privilege escalation to the administrative level due to the usage of component vendor Docker images running with root permissions. Exploiting this misconfiguration leads to the fact that an attacker can gain administrative control. over the whole system."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-250",
                  "description": "CWE-250 Execution with Unnecessary Privileges",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-19T13:13:00.565Z",
            "orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
            "shortName": "SICK AG"
          },
          "references": [
            {
              "tags": [
                "x_SICK PSIRT Website"
              ],
              "url": "https://sick.com/psirt"
            },
            {
              "tags": [
                "x_SICK Operating Guidelines"
              ],
              "url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
            },
            {
              "tags": [
                "x_ICS-CERT recommended practices on Industrial Security"
              ],
              "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
            },
            {
              "tags": [
                "x_CVSS v3.1 Calculator"
              ],
              "url": "https://www.first.org/cvss/calculator/3.1"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2024/sca-2024-0005.pdf"
            },
            {
              "tags": [
                "vendor-advisory",
                "x_csaf"
              ],
              "url": "https://www.sick.com/.well-known/csaf/white/2024/sca-2024-0005.json"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eCustomers are strongly recommended to upgrade to the latest release 1.1.0. In addition, we recommend running the Docker daemon and container runtime in rootless mode. It is necessary to set the DOCKER_USER_ID and the DOCKER_GROUP_ID in the environment. Then the Docker socket can run as a non-root user when setting the path DOCKER_SOCKET_PATH=/run/user/${DOCKER_USER_ID}/docker.sock.\u003c/div\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "Customers are strongly recommended to upgrade to the latest release 1.1.0. In addition, we recommend running the Docker daemon and container runtime in rootless mode. It is necessary to set the DOCKER_USER_ID and the DOCKER_GROUP_ID in the environment. Then the Docker socket can run as a non-root user when setting the path DOCKER_SOCKET_PATH=/run/user/${DOCKER_USER_ID}/docker.sock."
            }
          ],
          "source": {
            "advisory": "sca-2024-0005",
            "discovery": "INTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2024-11-19T12:44:00.000Z",
              "value": "1: Inital version"
            }
          ],
          "title": "SICK Incoming Goods Suite privilege escalation vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
        "assignerShortName": "SICK AG",
        "cveId": "CVE-2024-11075",
        "datePublished": "2024-11-19T13:13:00.565Z",
        "dateReserved": "2024-11-11T09:08:53.239Z",
        "dateUpdated": "2024-11-19T14:13:07.706Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }