Lucene search

[email protected]CVE-2024-3467

HistoryJun 12, 2024 - 9:15 p.m.

CVE-2024-3467

2024-06-1221:15:50

CWE-502

[email protected]

web.nvd.nist.gov

cve-2024-3467

aveva

asset framework

client

vulnerability

malicious code

execute

pi system explorer

environment

privileges

social engineering

import xml

attacker

7 High

CVSS4

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

ACTIVE

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/SC:N/VI:H/SI:N/VA:H/SA:N

7.3 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

There is a vulnerability in AVEVA PI Asset Framework Client that could allow malicious code to execute on the PI System Explorer environment under the privileges of an interactive user that was socially engineered to import XML supplied by an attacker.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "PI Asset Framework Client",
    "vendor": "AVEVA",
    "versions": [
      {
        "status": "affected",
        "version": "2023"
      },
      {
        "lessThanOrEqual": "2018 SP3 P04",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

References

www.cisa.gov/news-events/ics-advisories/icsa-24-163-03