Lucene search

IcscertVULNRICHMENT:CVE-2024-3468

HistoryJun 12, 2024 - 9:04 p.m.

CVE-2024-3468 Deserialization of Untrusted Data in AVEVA PI Web API

2024-06-1221:04:28

CWE-502

icscert

github.com

aveva pi web api

untrusted data

deserialization

xml import

interactive user

social engineering

code execution

CVSS4

8.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

ACTIVE

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/SC:N/VI:H/SI:N/VA:L/SA:N

AI Score

7.3

Confidence

High

EPSS

Percentile

9.0%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

There is a vulnerability in AVEVA PI Web API that could allow malicious code to execute on the PI Web API environment under the privileges of an interactive user that was socially engineered to use API XML import functionality with content supplied by an attacker.

CNA Affected

[
  {
    "vendor": "AVEVA",
    "product": "PI Web API",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "versionType": "custom",
        "lessThanOrEqual": "2023"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

www.cisa.gov/news-events/ics-advisories/icsa-24-163-02