CVE-2024-28029 - Vulnerability Details - OpenCVE

ReportizFlow

Privileges are not fully verified server-side, which can be abused by a user with limited privileges to bypass authorization and access privileged functionality.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Deltaww	Diaenergie

Configuration 1 [-]

cpe:2.3:a:deltaww:diaenergie:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12

History

Thu, 17 Oct 2024 19:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-285

Thu, 17 Oct 2024 19:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:deltaww:diaenergie:-:::::::*
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 17 Oct 2024 19:00:00 +0000

Type	Values Removed	Values Added
Description	Privileges are not fully verified server-side, which can be abused by a user with limited privileges to bypass authorization and access privileged functionality.	Privileges are not fully verified server-side, which can be abused by a user with limited privileges to bypass authorization and access privileged functionality.
Title	Delta Electronics DIAEnergie Improper Authorization	Client-Side Enforcement of Server-Side Security in Delta Electronics DIAEnergie
Weaknesses		CWE-602

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2024-03-21T22:04:57.512Z

Updated: 2024-10-17T18:45:56.861Z

Reserved: 2024-03-12T15:07:02.648Z

Link: CVE-2024-28029

Vulnrichment

Updated: 2024-08-02T00:48:47.726Z

NVD

Status : Modified

Published: 2024-03-21T22:15:11.353

Modified: 2024-11-21T09:05:40.260

Link: CVE-2024-28029

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28029", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2024-03-12T15:07:02.648Z", "datePublished": "2024-03-21T22:04:57.512Z", "dateUpdated": "2024-10-17T18:45:56.861Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [{"lessThan": "v1.10.00.005", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Heinzl reported these vulnerabilities to CISA."}], "datePublic": "2024-03-14T17:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Privileges are not fully verified server-side, which can be abused by a user with limited privileges to bypass authorization and access privileged functionality.</span>"}], "value": "Privileges are not fully verified server-side, which can be abused by a user with limited privileges to bypass authorization and access privileged functionality."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-602", "description": "CWE-602 Client-Side Enforcement of Server-Side Security", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-10-17T18:45:56.861Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Delta recommends users update to DIAEnergie v1.10.00.005. Users can request this version of DIAEnergie from </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.deltaww.com/en/customerService\">Delta Electronics' regional sales or agents</a><span style=\"background-color: rgb(255, 255, 255);\">.</span>\n\n<br>"}], "value": "Delta recommends users update to DIAEnergie v1.10.00.005. Users can request this version of DIAEnergie from Delta Electronics' regional sales or agents https://www.deltaww.com/en/customerService ."}], "source": {"advisory": "ICSA-24-074-12", "discovery": "EXTERNAL"}, "title": "Client-Side Enforcement of Server-Side Security in Delta Electronics DIAEnergie", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:47.726Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "deltaww", "product": "diaenergie", "cpes": ["cpe:2.3:a:deltaww:diaenergie:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.10.00.005", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-22T14:38:46.183877Z", "id": "CVE-2024-28029", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-12T20:26:21.673Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:47.726Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28029", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-03-22T14:38:46.183877Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:deltaww:diaenergie:-:*:*:*:*:*:*:*"], "vendor": "deltaww", "product": "diaenergie", "versions": [{"status": "affected", "version": "0", "lessThan": "1.10.00.005", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-12T20:26:16.784Z"}}], "cna": {"title": "Client-Side Enforcement of Server-Side Security in Delta Electronics DIAEnergie", "source": {"advisory": "ICSA-24-074-12", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Michael Heinzl reported these vulnerabilities to CISA."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Delta Electronics", "product": "DIAEnergie", "versions": [{"status": "affected", "version": "0", "lessThan": "v1.10.00.005", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Delta recommends users update to DIAEnergie v1.10.00.005. Users can request this version of DIAEnergie from Delta Electronics' regional sales or agents https://www.deltaww.com/en/customerService .", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Delta recommends users update to DIAEnergie v1.10.00.005. Users can request this version of DIAEnergie from </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.deltaww.com/en/customerService\">Delta Electronics' regional sales or agents</a><span style=\"background-color: rgb(255, 255, 255);\">.</span>\n\n<br>", "base64": false}]}], "datePublic": "2024-03-14T17:00:00.000Z", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Privileges are not fully verified server-side, which can be abused by a user with limited privileges to bypass authorization and access privileged functionality.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Privileges are not fully verified server-side, which can be abused by a user with limited privileges to bypass authorization and access privileged functionality.</span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-602", "description": "CWE-602 Client-Side Enforcement of Server-Side Security"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-10-17T18:45:56.861Z"}}}, "cveMetadata": {"cveId": "CVE-2024-28029", "state": "PUBLISHED", "dateUpdated": "2024-10-17T18:45:56.861Z", "dateReserved": "2024-03-12T15:07:02.648Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2024-03-21T22:04:57.512Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:deltaww:diaenergie:*:*:*:*:*:*:*:*", "matchCriteriaId": "2AC96D25-8B44-4093-B30E-050C6F93A507", "versionEndExcluding": "1.10.00.005", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Privileges are not fully verified server-side, which can be abused by a user with limited privileges to bypass authorization and access privileged functionality."}, {"lang": "es", "value": "Los privilegios no se verifican completamente en el lado del servidor, lo que puede ser abusado por un usuario con privilegios limitados para eludir la autorizaci\u00f3n y acceder a funciones privilegiadas."}], "id": "CVE-2024-28029", "lastModified": "2024-11-21T09:05:40.260", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}]}, "published": "2024-03-21T22:15:11.353", "references": [{"source": "[email protected]", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-602"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "[email protected]", "type": "Primary"}]}