CVE-2024-1015 - OpenCVE

Remote command execution vulnerability in SE-elektronic GmbH E-DDC3.3 affecting versions 03.07.03 and higher. An attacker could send different commands from the operating system to the system via the web configuration functionality of the device.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Se-elektronicgmbh	E-ddc3.3 Firmware E-ddc3.3

Configuration 1 [-]

AND

cpe:2.3:o:se-elektronicgmbh:e-ddc3.3_firmware:03.07.03:*:*:*:*:*:*:*

cpe:2.3:h:se-elektronicgmbh:e-ddc3.3:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.hackplayers.com/2024/01/cve-2024-1014-and-cve-2024-1015.html	Third Party Advisory
https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-se-elektronic-gmbh-products	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: INCIBE

Published: 2024-01-29T13:46:32.256Z

Updated: 2024-01-30T08:16:42.159Z

Reserved: 2024-01-29T10:06:20.593Z

Link: CVE-2024-1015

JSON object: View

NVD Information

Status : Analyzed

Published: 2024-01-29T14:15:09.657

Modified: 2024-02-02T02:04:13.267

Link: CVE-2024-1015

JSON object: View

Redhat Information

No data.

CWE

CWE-94

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2024-1015", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2024-01-29T10:06:20.593Z", "datePublished": "2024-01-29T13:46:32.256Z", "dateUpdated": "2024-01-30T08:16:42.159Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "E-DDC3.3", "vendor": "SE-elektronic GmbH", "versions": [{"status": "affected", "version": "03.07.03"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Carlos Antonini"}], "datePublic": "2024-01-29T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": " Remote command execution vulnerability in SE-elektronic GmbH E-DDC3.3 affecting versions 03.07.03 and higher. An attacker could send different commands from the operating system to the system via the web configuration functionality of the device."}], "value": " Remote command execution vulnerability in SE-elektronic GmbH E-DDC3.3 affecting versions 03.07.03 and higher. An attacker could send different commands from the operating system to the system via the web configuration functionality of the device."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-01-30T08:16:42.159Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-se-elektronic-gmbh-products"}, {"tags": ["third-party-advisory"], "url": "https://www.hackplayers.com/2024/01/cve-2024-1014-and-cve-2024-1015.html"}], "source": {"discovery": "UNKNOWN"}, "title": "Remote command execution vulnerability in SE-elektronic GmbH E-DDC3.3", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:se-elektronicgmbh:e-ddc3.3_firmware:03.07.03:*:*:*:*:*:*:*", "matchCriteriaId": "2FB32F1D-8E3D-4C2F-BF31-A107C9963D25", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:se-elektronicgmbh:e-ddc3.3:-:*:*:*:*:*:*:*", "matchCriteriaId": "3439959B-DB8A-4BE5-85EA-111851A8DC1E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": " Remote command execution vulnerability in SE-elektronic GmbH E-DDC3.3 affecting versions 03.07.03 and higher. An attacker could send different commands from the operating system to the system via the web configuration functionality of the device."}, {"lang": "es", "value": "Vulnerabilidad de ejecuci\u00f3n remota de comandos en SE-elektronic GmbH E-DDC3.3 que afecta a las versiones 03.07.03 y superiores. Un atacante podr\u00eda enviar diferentes comandos desde el sistema operativo al sistema a trav\u00e9s de la funcionalidad de configuraci\u00f3n web del dispositivo."}], "id": "CVE-2024-1015", "lastModified": "2024-02-02T02:04:13.267", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2024-01-29T14:15:09.657", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.hackplayers.com/2024/01/cve-2024-1014-and-cve-2024-1015.html"}, {"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-se-elektronic-gmbh-products"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}]}