CVE-2024-6618 - Vulnerability Details - OpenCVE

In Ocean Data Systems Dream Report, a path traversal vulnerability could allow an attacker to perform remote code execution through the injection of a malicious dynamic-link library (DLL).

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Aveva	Reports For Operations 2023
Ocean Data Systems	Dream Report 2023

No data.

No data.

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-24-226-08

History

Tue, 20 Aug 2024 17:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Aveva Aveva reports For Operations 2023 Ocean Data Systems Ocean Data Systems dream Report 2023
CPEs		cpe:2.3:a:aveva:reports_for_operations_2023:::::::: cpe:2.3:a:ocean_data_systems:dream_report_2023::::::::
Vendors & Products		Aveva Aveva reports For Operations 2023 Ocean Data Systems Ocean Data Systems dream Report 2023
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 13 Aug 2024 16:45:00 +0000

Type	Values Removed	Values Added
Description		In Ocean Data Systems Dream Report, a path traversal vulnerability could allow an attacker to perform remote code execution through the injection of a malicious dynamic-link library (DLL).
Title		Path Traversal in Ocean Data Systems Dream Report
Weaknesses		CWE-22
References		https://www.cisa.gov/news-events/ics-advisories/icsa-24-226-08
Metrics		cvssV4_0 `{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2024-08-13T16:37:41.654Z

Updated: 2024-08-20T16:31:02.999Z

Reserved: 2024-07-09T15:19:01.141Z

Link: CVE-2024-6618

Vulnrichment

Updated: 2024-08-20T16:30:54.351Z

NVD

Status : Awaiting Analysis

Published: 2024-08-13T17:15:24.377

Modified: 2024-08-14T02:07:05.410

Link: CVE-2024-6618

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6618", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2024-07-09T15:19:01.141Z", "datePublished": "2024-08-13T16:37:41.654Z", "dateUpdated": "2024-08-20T16:31:02.999Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Dream Report 2023", "vendor": "Ocean Data Systems", "versions": [{"lessThanOrEqual": "23.0.17795.1010", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Reports for Operations", "vendor": "AVEVA", "versions": [{"status": "affected", "version": "23.0.17795.1010"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Claroty Team82 reported these vulnerabilities to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>In Ocean Data Systems Dream Report, a path traversal vulnerability could allow an attacker to perform remote code execution through the injection of a malicious dynamic-link library (DLL).</p><br>"}], "value": "In Ocean Data Systems Dream Report, a path traversal vulnerability could allow an attacker to perform remote code execution through the injection of a malicious dynamic-link library (DLL)."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 8.5, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-08-13T16:37:41.654Z"}, "references": [{"tags": ["government-resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-226-08"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Ocean Data Systems recommends users update to the following:</p><ul><li>Dream Report 2023 R2: Version 23.3.18952.0523</li></ul><p>For more information, see <a target=\"_blank\" rel=\"nofollow\" href=\"https://dreamreport.net/\">Dream Report Version 2023 R2 Released</a>.</p><p>AVEVA recommends users of affected versions upgrade to the versions listed below and apply the corresponding security update:</p><ul><li>Update to <a target=\"_blank\" rel=\"nofollow\" href=\"https://softwaresupportsp.aveva.com/#/producthub/details?id=247ce8d6-0f2e-498c-9024-58c96bb6d8de\">AVEVA Reports for Operations 2023 R2</a> or later</li></ul><p>For more information, see security bulletin <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2024-006.pdf\">AVEVA-2024-006</a>.</p>\n\n<br>"}], "value": "Ocean Data Systems recommends users update to the following:\n\n * Dream Report 2023 R2: Version 23.3.18952.0523\n\n\nFor more information, see Dream Report Version 2023 R2 Released https://dreamreport.net/ .\n\nAVEVA recommends users of affected versions upgrade to the versions listed below and apply the corresponding security update:\n\n * Update to AVEVA Reports for Operations 2023 R2 https://softwaresupportsp.aveva.com/#/producthub/details \u00a0or later\n\n\nFor more information, see security bulletin AVEVA-2024-006 https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2024-006.pdf ."}], "source": {"discovery": "UNKNOWN"}, "title": "Path Traversal in Ocean Data Systems Dream Report", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "ocean_data_systems", "product": "dream_report_2023", "cpes": ["cpe:2.3:a:ocean_data_systems:dream_report_2023:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "23.0.17795.1010", "versionType": "custom"}]}, {"vendor": "aveva", "product": "reports_for_operations_2023", "cpes": ["cpe:2.3:a:aveva:reports_for_operations_2023:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "23.0.17795.1010", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-20T16:29:10.362961Z", "id": "CVE-2024-6618", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-20T16:31:02.999Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6618", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2024-07-09T15:19:01.141Z", "datePublished": "2024-08-13T16:37:41.654Z", "dateUpdated": "2024-08-20T16:31:02.999Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Dream Report 2023", "vendor": "Ocean Data Systems", "versions": [{"lessThanOrEqual": "23.0.17795.1010", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Reports for Operations", "vendor": "AVEVA", "versions": [{"status": "affected", "version": "23.0.17795.1010"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Claroty Team82 reported these vulnerabilities to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>In Ocean Data Systems Dream Report, a path traversal vulnerability could allow an attacker to perform remote code execution through the injection of a malicious dynamic-link library (DLL).</p><br>"}], "value": "In Ocean Data Systems Dream Report, a path traversal vulnerability could allow an attacker to perform remote code execution through the injection of a malicious dynamic-link library (DLL)."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 8.5, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-08-13T16:37:41.654Z"}, "references": [{"tags": ["government-resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-226-08"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Ocean Data Systems recommends users update to the following:</p><ul><li>Dream Report 2023 R2: Version 23.3.18952.0523</li></ul><p>For more information, see <a target=\"_blank\" rel=\"nofollow\" href=\"https://dreamreport.net/\">Dream Report Version 2023 R2 Released</a>.</p><p>AVEVA recommends users of affected versions upgrade to the versions listed below and apply the corresponding security update:</p><ul><li>Update to <a target=\"_blank\" rel=\"nofollow\" href=\"https://softwaresupportsp.aveva.com/#/producthub/details?id=247ce8d6-0f2e-498c-9024-58c96bb6d8de\">AVEVA Reports for Operations 2023 R2</a> or later</li></ul><p>For more information, see security bulletin <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2024-006.pdf\">AVEVA-2024-006</a>.</p>\n\n<br>"}], "value": "Ocean Data Systems recommends users update to the following:\n\n * Dream Report 2023 R2: Version 23.3.18952.0523\n\n\nFor more information, see Dream Report Version 2023 R2 Released https://dreamreport.net/ .\n\nAVEVA recommends users of affected versions upgrade to the versions listed below and apply the corresponding security update:\n\n * Update to AVEVA Reports for Operations 2023 R2 https://softwaresupportsp.aveva.com/#/producthub/details \u00a0or later\n\n\nFor more information, see security bulletin AVEVA-2024-006 https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2024-006.pdf ."}], "source": {"discovery": "UNKNOWN"}, "title": "Path Traversal in Ocean Data Systems Dream Report", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6618", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-20T16:29:10.362961Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:ocean_data_systems:dream_report_2023:*:*:*:*:*:*:*:*"], "vendor": "ocean_data_systems", "product": "dream_report_2023", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "23.0.17795.1010"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:aveva:reports_for_operations_2023:*:*:*:*:*:*:*:*"], "vendor": "aveva", "product": "reports_for_operations_2023", "versions": [{"status": "affected", "version": "23.0.17795.1010"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-20T16:30:54.351Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In Ocean Data Systems Dream Report, a path traversal vulnerability could allow an attacker to perform remote code execution through the injection of a malicious dynamic-link library (DLL)."}], "id": "CVE-2024-6618", "lastModified": "2024-08-14T02:07:05.410", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2024-08-13T17:15:24.377", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-226-08"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}