Search
Find a vulnerability
Search criteria
8 vulnerabilities found for intermesh_7707_fire_subscriber_firmware by siemens
CVE-2024-47904 (GCVE-0-2024-47904)
Vulnerability from nvd – Published: 2024-10-23 14:21 – Updated: 2024-10-23 18:00
VLAI
Summary
A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber (All versions < V8.2.12), InterMesh 7707 Fire Subscriber (All versions < V7.2.12 only if the IP interface is enabled (which is not the default configuration)). The affected devices contain a SUID binary that could allow an authenticated local attacker to execute arbitrary commands with root privileges.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-266 - Incorrect Privilege Assignment
Assigner
References
1 reference
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| Siemens | InterMesh 7177 Hybrid 2.0 Subscriber |
Affected:
0 , < V8.2.12
(custom)
|
|
| Siemens | InterMesh 7707 Fire Subscriber |
Affected:
0 , < V7.2.12
(custom)
|
|
| siemens | intermesh_7177_hybrid2.0_subscriber |
Affected:
0 , < 8.2.12
(custom)
cpe:2.3:a:siemens:intermesh_7177_hybrid2.0_subscriber:*:*:*:*:*:*:*:* |
|
| siemens | intermesh_7707_fire_subscriber |
Affected:
0 , < 7.2.12
(custom)
cpe:2.3:a:siemens:intermesh_7707_fire_subscriber:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:siemens:intermesh_7177_hybrid2.0_subscriber:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "intermesh_7177_hybrid2.0_subscriber",
"vendor": "siemens",
"versions": [
{
"lessThan": "8.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:siemens:intermesh_7707_fire_subscriber:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "intermesh_7707_fire_subscriber",
"vendor": "siemens",
"versions": [
{
"lessThan": "7.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47904",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T17:56:30.002922Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T18:00:15.305Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "InterMesh 7177 Hybrid 2.0 Subscriber",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "InterMesh 7707 Fire Subscriber",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V7.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber (All versions \u003c V8.2.12), InterMesh 7707 Fire Subscriber (All versions \u003c V7.2.12 only if the IP interface is enabled (which is not the default configuration)). The affected devices contain a SUID binary that could allow an authenticated local attacker to execute arbitrary commands with root privileges."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"cvssV4_0": {
"baseScore": 8.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266: Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T14:21:23.086Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-333468.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2024-47904",
"datePublished": "2024-10-23T14:21:23.086Z",
"dateReserved": "2024-10-04T16:15:00.392Z",
"dateUpdated": "2024-10-23T18:00:15.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47903 (GCVE-0-2024-47903)
Vulnerability from nvd – Published: 2024-10-23 14:21 – Updated: 2024-10-23 18:02
VLAI
Summary
A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber (All versions < V8.2.12), InterMesh 7707 Fire Subscriber (All versions < V7.2.12 only if the IP interface is enabled (which is not the default configuration)). The web server of affected devices allows to write arbitrary files to the web server's DocumentRoot directory.
Severity
5.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-250 - Execution with Unnecessary Privileges
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Siemens | InterMesh 7177 Hybrid 2.0 Subscriber |
Affected:
0 , < V8.2.12
(custom)
|
|
| Siemens | InterMesh 7707 Fire Subscriber |
Affected:
0 , < V7.2.12
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47903",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T18:01:58.898600Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T18:02:13.310Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "InterMesh 7177 Hybrid 2.0 Subscriber",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "InterMesh 7707 Fire Subscriber",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V7.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber (All versions \u003c V8.2.12), InterMesh 7707 Fire Subscriber (All versions \u003c V7.2.12 only if the IP interface is enabled (which is not the default configuration)). The web server of affected devices allows to write arbitrary files to the web server\u0027s DocumentRoot directory."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250: Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T14:21:21.774Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-333468.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2024-47903",
"datePublished": "2024-10-23T14:21:21.774Z",
"dateReserved": "2024-10-04T16:15:00.392Z",
"dateUpdated": "2024-10-23T18:02:13.310Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47902 (GCVE-0-2024-47902)
Vulnerability from nvd – Published: 2024-10-23 14:21 – Updated: 2024-10-23 18:16
VLAI
Summary
A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber (All versions < V8.2.12), InterMesh 7707 Fire Subscriber (All versions < V7.2.12 only if the IP interface is enabled (which is not the default configuration)). The web server of affected devices does not authenticate GET requests that execute specific commands (such as `ping`) on operating system level.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
1 reference
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| Siemens | InterMesh 7177 Hybrid 2.0 Subscriber |
Affected:
0 , < V8.2.12
(custom)
|
|
| Siemens | InterMesh 7707 Fire Subscriber |
Affected:
0 , < V7.2.12
(custom)
|
|
| siemens | intermesh_7177_hybrid2.0_subscriber |
Affected:
0 , < 8.2.12
(custom)
cpe:2.3:a:siemens:intermesh_7177_hybrid2.0_subscriber:*:*:*:*:*:*:*:* |
|
| siemens | intermesh_7707_fire_subscriber |
Affected:
0 , < 7.2.12
(custom)
cpe:2.3:a:siemens:intermesh_7707_fire_subscriber:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:siemens:intermesh_7177_hybrid2.0_subscriber:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "intermesh_7177_hybrid2.0_subscriber",
"vendor": "siemens",
"versions": [
{
"lessThan": "8.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:siemens:intermesh_7707_fire_subscriber:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "intermesh_7707_fire_subscriber",
"vendor": "siemens",
"versions": [
{
"lessThan": "7.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47902",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T18:15:15.404634Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T18:16:39.383Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "InterMesh 7177 Hybrid 2.0 Subscriber",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "InterMesh 7707 Fire Subscriber",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V7.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber (All versions \u003c V8.2.12), InterMesh 7707 Fire Subscriber (All versions \u003c V7.2.12 only if the IP interface is enabled (which is not the default configuration)). The web server of affected devices does not authenticate GET requests that execute specific commands (such as `ping`) on operating system level."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T14:21:20.501Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-333468.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2024-47902",
"datePublished": "2024-10-23T14:21:20.501Z",
"dateReserved": "2024-10-04T16:15:00.392Z",
"dateUpdated": "2024-10-23T18:16:39.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47901 (GCVE-0-2024-47901)
Vulnerability from nvd – Published: 2024-10-23 14:21 – Updated: 2024-10-23 18:18
VLAI
Summary
A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber (All versions < V8.2.12), InterMesh 7707 Fire Subscriber (All versions < V7.2.12 only if the IP interface is enabled (which is not the default configuration)). The web server of affected devices does not sanitize the input parameters in specific GET requests that allow for code execution on operating system level. In combination with other vulnerabilities (CVE-2024-47902, CVE-2024-47903, CVE-2024-47904) this could allow an unauthenticated remote attacker to execute arbitrary code with root privileges.
Severity
10 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| Siemens | InterMesh 7177 Hybrid 2.0 Subscriber |
Affected:
0 , < V8.2.12
(custom)
|
|
| Siemens | InterMesh 7707 Fire Subscriber |
Affected:
0 , < V7.2.12
(custom)
|
|
| siemens | intermesh_7177_hybrid2.0_subscriber |
Affected:
0 , < 8.2.12
(custom)
cpe:2.3:a:siemens:intermesh_7177_hybrid2.0_subscriber:*:*:*:*:*:*:*:* |
|
| siemens | intermesh_7707_fire_subscriber |
Affected:
0 , < 7.2.12
(custom)
cpe:2.3:a:siemens:intermesh_7707_fire_subscriber:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:siemens:intermesh_7177_hybrid2.0_subscriber:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "intermesh_7177_hybrid2.0_subscriber",
"vendor": "siemens",
"versions": [
{
"lessThan": "8.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:siemens:intermesh_7707_fire_subscriber:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "intermesh_7707_fire_subscriber",
"vendor": "siemens",
"versions": [
{
"lessThan": "7.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47901",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T18:17:45.967957Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T18:18:54.551Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "InterMesh 7177 Hybrid 2.0 Subscriber",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "InterMesh 7707 Fire Subscriber",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V7.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber (All versions \u003c V8.2.12), InterMesh 7707 Fire Subscriber (All versions \u003c V7.2.12 only if the IP interface is enabled (which is not the default configuration)). The web server of affected devices does not sanitize the input parameters in specific GET requests that allow for code execution on operating system level. In combination with other vulnerabilities (CVE-2024-47902, CVE-2024-47903, CVE-2024-47904) this could allow an unauthenticated remote attacker to execute arbitrary code with root privileges."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 10,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"cvssV4_0": {
"baseScore": 10,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T14:21:19.200Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-333468.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2024-47901",
"datePublished": "2024-10-23T14:21:19.200Z",
"dateReserved": "2024-10-04T16:15:00.391Z",
"dateUpdated": "2024-10-23T18:18:54.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47904 (GCVE-0-2024-47904)
Vulnerability from cvelistv5 – Published: 2024-10-23 14:21 – Updated: 2024-10-23 18:00
VLAI
Summary
A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber (All versions < V8.2.12), InterMesh 7707 Fire Subscriber (All versions < V7.2.12 only if the IP interface is enabled (which is not the default configuration)). The affected devices contain a SUID binary that could allow an authenticated local attacker to execute arbitrary commands with root privileges.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-266 - Incorrect Privilege Assignment
Assigner
References
1 reference
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| Siemens | InterMesh 7177 Hybrid 2.0 Subscriber |
Affected:
0 , < V8.2.12
(custom)
|
|
| Siemens | InterMesh 7707 Fire Subscriber |
Affected:
0 , < V7.2.12
(custom)
|
|
| siemens | intermesh_7177_hybrid2.0_subscriber |
Affected:
0 , < 8.2.12
(custom)
cpe:2.3:a:siemens:intermesh_7177_hybrid2.0_subscriber:*:*:*:*:*:*:*:* |
|
| siemens | intermesh_7707_fire_subscriber |
Affected:
0 , < 7.2.12
(custom)
cpe:2.3:a:siemens:intermesh_7707_fire_subscriber:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:siemens:intermesh_7177_hybrid2.0_subscriber:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "intermesh_7177_hybrid2.0_subscriber",
"vendor": "siemens",
"versions": [
{
"lessThan": "8.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:siemens:intermesh_7707_fire_subscriber:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "intermesh_7707_fire_subscriber",
"vendor": "siemens",
"versions": [
{
"lessThan": "7.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47904",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T17:56:30.002922Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T18:00:15.305Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "InterMesh 7177 Hybrid 2.0 Subscriber",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "InterMesh 7707 Fire Subscriber",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V7.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber (All versions \u003c V8.2.12), InterMesh 7707 Fire Subscriber (All versions \u003c V7.2.12 only if the IP interface is enabled (which is not the default configuration)). The affected devices contain a SUID binary that could allow an authenticated local attacker to execute arbitrary commands with root privileges."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"cvssV4_0": {
"baseScore": 8.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266: Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T14:21:23.086Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-333468.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2024-47904",
"datePublished": "2024-10-23T14:21:23.086Z",
"dateReserved": "2024-10-04T16:15:00.392Z",
"dateUpdated": "2024-10-23T18:00:15.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47903 (GCVE-0-2024-47903)
Vulnerability from cvelistv5 – Published: 2024-10-23 14:21 – Updated: 2024-10-23 18:02
VLAI
Summary
A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber (All versions < V8.2.12), InterMesh 7707 Fire Subscriber (All versions < V7.2.12 only if the IP interface is enabled (which is not the default configuration)). The web server of affected devices allows to write arbitrary files to the web server's DocumentRoot directory.
Severity
5.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-250 - Execution with Unnecessary Privileges
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Siemens | InterMesh 7177 Hybrid 2.0 Subscriber |
Affected:
0 , < V8.2.12
(custom)
|
|
| Siemens | InterMesh 7707 Fire Subscriber |
Affected:
0 , < V7.2.12
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47903",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T18:01:58.898600Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T18:02:13.310Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "InterMesh 7177 Hybrid 2.0 Subscriber",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "InterMesh 7707 Fire Subscriber",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V7.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber (All versions \u003c V8.2.12), InterMesh 7707 Fire Subscriber (All versions \u003c V7.2.12 only if the IP interface is enabled (which is not the default configuration)). The web server of affected devices allows to write arbitrary files to the web server\u0027s DocumentRoot directory."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250: Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T14:21:21.774Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-333468.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2024-47903",
"datePublished": "2024-10-23T14:21:21.774Z",
"dateReserved": "2024-10-04T16:15:00.392Z",
"dateUpdated": "2024-10-23T18:02:13.310Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47902 (GCVE-0-2024-47902)
Vulnerability from cvelistv5 – Published: 2024-10-23 14:21 – Updated: 2024-10-23 18:16
VLAI
Summary
A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber (All versions < V8.2.12), InterMesh 7707 Fire Subscriber (All versions < V7.2.12 only if the IP interface is enabled (which is not the default configuration)). The web server of affected devices does not authenticate GET requests that execute specific commands (such as `ping`) on operating system level.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
1 reference
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| Siemens | InterMesh 7177 Hybrid 2.0 Subscriber |
Affected:
0 , < V8.2.12
(custom)
|
|
| Siemens | InterMesh 7707 Fire Subscriber |
Affected:
0 , < V7.2.12
(custom)
|
|
| siemens | intermesh_7177_hybrid2.0_subscriber |
Affected:
0 , < 8.2.12
(custom)
cpe:2.3:a:siemens:intermesh_7177_hybrid2.0_subscriber:*:*:*:*:*:*:*:* |
|
| siemens | intermesh_7707_fire_subscriber |
Affected:
0 , < 7.2.12
(custom)
cpe:2.3:a:siemens:intermesh_7707_fire_subscriber:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:siemens:intermesh_7177_hybrid2.0_subscriber:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "intermesh_7177_hybrid2.0_subscriber",
"vendor": "siemens",
"versions": [
{
"lessThan": "8.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:siemens:intermesh_7707_fire_subscriber:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "intermesh_7707_fire_subscriber",
"vendor": "siemens",
"versions": [
{
"lessThan": "7.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47902",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T18:15:15.404634Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T18:16:39.383Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "InterMesh 7177 Hybrid 2.0 Subscriber",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "InterMesh 7707 Fire Subscriber",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V7.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber (All versions \u003c V8.2.12), InterMesh 7707 Fire Subscriber (All versions \u003c V7.2.12 only if the IP interface is enabled (which is not the default configuration)). The web server of affected devices does not authenticate GET requests that execute specific commands (such as `ping`) on operating system level."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T14:21:20.501Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-333468.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2024-47902",
"datePublished": "2024-10-23T14:21:20.501Z",
"dateReserved": "2024-10-04T16:15:00.392Z",
"dateUpdated": "2024-10-23T18:16:39.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47901 (GCVE-0-2024-47901)
Vulnerability from cvelistv5 – Published: 2024-10-23 14:21 – Updated: 2024-10-23 18:18
VLAI
Summary
A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber (All versions < V8.2.12), InterMesh 7707 Fire Subscriber (All versions < V7.2.12 only if the IP interface is enabled (which is not the default configuration)). The web server of affected devices does not sanitize the input parameters in specific GET requests that allow for code execution on operating system level. In combination with other vulnerabilities (CVE-2024-47902, CVE-2024-47903, CVE-2024-47904) this could allow an unauthenticated remote attacker to execute arbitrary code with root privileges.
Severity
10 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| Siemens | InterMesh 7177 Hybrid 2.0 Subscriber |
Affected:
0 , < V8.2.12
(custom)
|
|
| Siemens | InterMesh 7707 Fire Subscriber |
Affected:
0 , < V7.2.12
(custom)
|
|
| siemens | intermesh_7177_hybrid2.0_subscriber |
Affected:
0 , < 8.2.12
(custom)
cpe:2.3:a:siemens:intermesh_7177_hybrid2.0_subscriber:*:*:*:*:*:*:*:* |
|
| siemens | intermesh_7707_fire_subscriber |
Affected:
0 , < 7.2.12
(custom)
cpe:2.3:a:siemens:intermesh_7707_fire_subscriber:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:siemens:intermesh_7177_hybrid2.0_subscriber:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "intermesh_7177_hybrid2.0_subscriber",
"vendor": "siemens",
"versions": [
{
"lessThan": "8.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:siemens:intermesh_7707_fire_subscriber:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "intermesh_7707_fire_subscriber",
"vendor": "siemens",
"versions": [
{
"lessThan": "7.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47901",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T18:17:45.967957Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T18:18:54.551Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "InterMesh 7177 Hybrid 2.0 Subscriber",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V8.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "InterMesh 7707 Fire Subscriber",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V7.2.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber (All versions \u003c V8.2.12), InterMesh 7707 Fire Subscriber (All versions \u003c V7.2.12 only if the IP interface is enabled (which is not the default configuration)). The web server of affected devices does not sanitize the input parameters in specific GET requests that allow for code execution on operating system level. In combination with other vulnerabilities (CVE-2024-47902, CVE-2024-47903, CVE-2024-47904) this could allow an unauthenticated remote attacker to execute arbitrary code with root privileges."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 10,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"cvssV4_0": {
"baseScore": 10,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T14:21:19.200Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-333468.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2024-47901",
"datePublished": "2024-10-23T14:21:19.200Z",
"dateReserved": "2024-10-04T16:15:00.391Z",
"dateUpdated": "2024-10-23T18:18:54.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}