CVE-2024-3301 (GCVE-0-2024-3301)
Vulnerability from cvelistv5 – Published: 2024-05-30 15:18 – Updated: 2024-09-03 15:31
VLAI?
Title
Post-authentication Unsafe .NET object deserialization vulnerability affecting DELMIA Apriso Release 2019 through Release 2024
Summary
An unsafe .NET object deserialization vulnerability in DELMIA Apriso Release 2019 through Release 2024 could lead to post-authentication remote code execution.
Severity ?
8.5 (High)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Dassault Systèmes | DELMIA Apriso |
Affected:
Release 2019 Golden , ≤ Release 2019 SP5
(custom)
Affected: Release 2020 Golden , ≤ Release 2020 SP4 (custom) Affected: Release 2021 Golden , ≤ Release 2021 SP3 (custom) Affected: Release 2022 Golden , ≤ Release 2022 SP3 (custom) Affected: Release 2023 Golden , ≤ Release 2023 SP2 (custom) Affected: Release 2024 Golden , ≤ Release 2024 SP1 (custom) |
Credits
Mehdi Elyassa of Synacktiv
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:05:08.350Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.3ds.com/vulnerability/advisories"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:3ds:delmia_apriso:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "delmia_apriso",
"vendor": "3ds",
"versions": [
{
"lessThanOrEqual": "2024",
"status": "affected",
"version": "2019",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3301",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-03T15:27:23.292614Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T15:31:28.769Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "DELMIA Apriso",
"vendor": "Dassault Syst\u00e8mes",
"versions": [
{
"lessThanOrEqual": "Release 2019 SP5",
"status": "affected",
"version": "Release 2019 Golden",
"versionType": "custom"
},
{
"lessThanOrEqual": "Release 2020 SP4",
"status": "affected",
"version": "Release 2020 Golden",
"versionType": "custom"
},
{
"lessThanOrEqual": "Release 2021 SP3",
"status": "affected",
"version": "Release 2021 Golden",
"versionType": "custom"
},
{
"lessThanOrEqual": "Release 2022 SP3",
"status": "affected",
"version": "Release 2022 Golden",
"versionType": "custom"
},
{
"lessThanOrEqual": "Release 2023 SP2",
"status": "affected",
"version": "Release 2023 Golden",
"versionType": "custom"
},
{
"lessThanOrEqual": "Release 2024 SP1",
"status": "affected",
"version": "Release 2024 Golden",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Mehdi Elyassa of Synacktiv"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An unsafe .NET object deserialization vulnerability in DELMIA Apriso Release 2019 through Release 2024 could lead to post-authentication remote code execution."
}
],
"value": "An unsafe .NET object deserialization vulnerability in DELMIA Apriso Release 2019 through Release 2024 could lead to post-authentication remote code execution."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-30T15:18:14.217Z",
"orgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433",
"shortName": "3DS"
},
"references": [
{
"url": "https://www.3ds.com/vulnerability/advisories"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Post-authentication Unsafe .NET object deserialization vulnerability affecting DELMIA Apriso Release 2019 through Release 2024",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433",
"assignerShortName": "3DS",
"cveId": "CVE-2024-3301",
"datePublished": "2024-05-30T15:18:14.217Z",
"dateReserved": "2024-04-04T09:52:26.812Z",
"dateUpdated": "2024-09-03T15:31:28.769Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-3301\",\"sourceIdentifier\":\"3DS.Information-Security@3ds.com\",\"published\":\"2024-05-30T16:15:19.093\",\"lastModified\":\"2024-11-21T09:29:21.167\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An unsafe .NET object deserialization vulnerability in DELMIA Apriso Release 2019 through Release 2024 could lead to post-authentication remote code execution.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de deserializaci\u00f3n de objetos .NET inseguros en DELMIA Apriso desde la versi\u00f3n 2019 hasta la versi\u00f3n 2024 podr\u00eda provocar la ejecuci\u00f3n remota de c\u00f3digo posterior a la autenticaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"3DS.Information-Security@3ds.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"3DS.Information-Security@3ds.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"references\":[{\"url\":\"https://www.3ds.com/vulnerability/advisories\",\"source\":\"3DS.Information-Security@3ds.com\"},{\"url\":\"https://www.3ds.com/vulnerability/advisories\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.3ds.com/vulnerability/advisories\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T20:05:08.350Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-3301\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-03T15:27:23.292614Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:3ds:delmia_apriso:*:*:*:*:*:*:*:*\"], \"vendor\": \"3ds\", \"product\": \"delmia_apriso\", \"versions\": [{\"status\": \"affected\", \"version\": \"2019\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"2024\"}], \"defaultStatus\": \"unaffected\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-03T15:31:22.727Z\"}}], \"cna\": {\"title\": \"Post-authentication Unsafe .NET object deserialization vulnerability affecting DELMIA Apriso Release 2019 through Release 2024\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"Mehdi Elyassa of Synacktiv\"}], \"impacts\": [{\"capecId\": \"CAPEC-586\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-586 Object Injection\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Dassault Syst\\u00e8mes\", \"product\": \"DELMIA Apriso\", \"versions\": [{\"status\": \"affected\", \"version\": \"Release 2019 Golden\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"Release 2019 SP5\"}, {\"status\": \"affected\", \"version\": \"Release 2020 Golden\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"Release 2020 SP4\"}, {\"status\": \"affected\", \"version\": \"Release 2021 Golden\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"Release 2021 SP3\"}, {\"status\": \"affected\", \"version\": \"Release 2022 Golden\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"Release 2022 SP3\"}, {\"status\": \"affected\", \"version\": \"Release 2023 Golden\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"Release 2023 SP2\"}, {\"status\": \"affected\", \"version\": \"Release 2024 Golden\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"Release 2024 SP1\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.3ds.com/vulnerability/advisories\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An unsafe .NET object deserialization vulnerability in DELMIA Apriso Release 2019 through Release 2024 could lead to post-authentication remote code execution.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"An unsafe .NET object deserialization vulnerability in DELMIA Apriso Release 2019 through Release 2024 could lead to post-authentication remote code execution.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502 Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"f5a594e6-46a7-4e60-8a08-0a786e70e433\", \"shortName\": \"3DS\", \"dateUpdated\": \"2024-05-30T15:18:14.217Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-3301\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-03T15:31:28.769Z\", \"dateReserved\": \"2024-04-04T09:52:26.812Z\", \"assignerOrgId\": \"f5a594e6-46a7-4e60-8a08-0a786e70e433\", \"datePublished\": \"2024-05-30T15:18:14.217Z\", \"assignerShortName\": \"3DS\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…