CVE-2024-39569

2024-07-0912:15:16

CWE-77

[email protected]

web.nvd.nist.gov

sinema remote connect

command injection

vpn configurations

remote attacker

arbitrary code

system privileges

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

18.7%

JSON

A vulnerability has been identified in SINEMA Remote Connect Client (All versions < V3.2 HF1). The system service of affected applications is vulnerable to command injection due to missing server side input sanitation when loading VPN configurations. This could allow an administrative remote attacker running a corresponding SINEMA Remote Connect Server to execute arbitrary code with system privileges on the client system.

Affected configurations

Nvd

Node

siemenssinema_remote_connect_clientRange<3.2

siemenssinema_remote_connect_clientMatch3.2-

VendorProductVersionCPE
siemenssinema_remote_connect_client*cpe:2.3:a:siemens:sinema_remote_connect_client:*:*:*:*:*:*:*:*
siemenssinema_remote_connect_client3.2cpe:2.3:a:siemens:sinema_remote_connect_client:3.2:-:*:*:*:*:*:*

Vendor	Product	Version	CPE
siemens	sinema_remote_connect_client	*	cpe:2.3:a:siemens:sinema_remote_connect_client::::::::
siemens	sinema_remote_connect_client	3.2	cpe:2.3:a:siemens:sinema_remote_connect_client:3.2:-::::::