Lucene search

[email protected]CVE-2024-2413

HistoryMar 13, 2024 - 3:15 a.m.

CVE-2024-2413

2024-03-1303:15:06

CWE-321

[email protected]

web.nvd.nist.gov

cve-2024-2413

intumit smartrobot

encryption key

authentication

remote attackers

admin privileges

arbitrary code

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.1 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

39.1%

JSON

Intumit SmartRobot uses a fixed encryption key for authentication. Remote attackers can use this key to encrypt a string composed of the user’s name and timestamp to generate an authentication code. With this authentication code, they can obtain administrator privileges and subsequently execute arbitrary code on the remote server using built-in system functionality.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "SmartRobot",
    "vendor": "Intumit",
    "versions": [
      {
        "lessThanOrEqual": "v6.1.2-202212tw",
        "status": "affected",
        "version": "earlier version",
        "versionType": "custom"
      }
    ]
  }
]

References

www.twcert.org.tw/tw/cp-132-7697-ecf10-1.html

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.1 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

39.1%

JSON

Related for CVE-2024-2413

nvd1 cvelist1