1. EXECUTIVE SUMMARY
- CVSS v3 7.8
- ATTENTION: Low attack complexity
- Vendor: Schneider Electric
- Equipment: Easergy Studio
- Vulnerability: Improper Privilege Management
2. RISK EVALUATION
Successful exploitation of this vulnerability may risk unauthorized access to the installation directory for Easergy Studio, which could allow an attacker with access to the file system to elevate privileges.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports that the following Easergy Studio products are affected:
- Easergy Studio: Versions 9.3.1 and prior
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER PRIVILEGE MANAGEMENT CWE-269
An improper privilege management vulnerability exists that could cause unauthorized access, loss of confidentiality, integrity, and availability of the workstation when a non-administrative authenticated user tries to perform privilege escalation by tampering with the binaries.
CVE-2024-9002 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Energy, Healthcare and Public Health, Information Technology, Transportation Systems
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: France
3.4 RESEARCHER
Charit Misra (Applied Risk B.V. (a DNV Company)) reported this vulnerability to Schneider Electric.
4. MITIGATIONS
Version 9.3.4 and later of Easergy Studio in
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: