1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Kieback&Peter
- Equipment: DDC4000 Series
- Vulnerabilities: Path Traversal, Insufficiently Protected Credentials, Use of Weak Credentials
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to gain full administrator rights on the system.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Kieback&Peter DDC4000 series products are affected:
- DDC4002 : Versions 1.12.14 and prior
- DDC4100 : Versions 1.7.4 and prior
- DDC4200 : Versions 1.12.14 and prior
- DDC4200-L : Versions 1.12.14 and prior
- DDC4400 : Versions 1.12.14 and prior
- DDC4002e : Versions 1.17.6 and prior
- DDC4200e : Versions 1.17.6 and prior
- DDC4400e : Versions 1.17.6 and prior
- DDC4020e : Versions 1.17.6 and prior
- DDC4040e : Versions 1.17.6 and prior
3.2 Vulnerability Overview
3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22
The affected product is vulnerable to a path traversal vulnerability, which may allow an unauthenticated attacker to read files on the system.
CVE-2024-41717 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-41717. A base score of 9.3 has been calculated; the CVSS vector string is (This article has been indexed from All CISA Advisories