CVE-2024-23317

EUVD-2024-20835
External Control of File Name or Path (CWE-73) in the Controller 6000 and Controller 7000 allows an attacker with local access to the Controller to perform arbitrary code execution. 

This issue affects: 9.10 prior to vCR9.10.240520a (distributed in 9.10.1268(MR1)), 9.00 prior to vCR9.00.240521a (distributed in 9.00.1990(MR3)), 8.90 prior to vCR8.90.240520a (distributed in 8.90.1947 (MR4)), 8.80 prior to vCR8.80.240520a (distributed in 8.80.1726 (MR5)), 8.70 prior to vCR8.70.240520a (distributed in 8.70.2824 (MR7)), all versions of 8.60 and prior.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.3 MEDIUM
LOCAL
LOW
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 11%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
gallaghercontroller_6000_firmware
𝑥
≤ 8.60
ADP
gallaghercontroller_6000_firmware
8.70 ≤
𝑥
< 8.70.240520a
ADP
gallaghercontroller_6000_firmware
8.80 ≤
𝑥
< 8.80.240520a
ADP
gallaghercontroller_6000_firmware
8.90 ≤
𝑥
< 8.90.240520a
ADP
gallaghercontroller_6000_firmware
9.00 ≤
𝑥
< 9.00.240521a
ADP
gallaghercontroller_6000_firmware
9.10 ≤
𝑥
< 9.10.240520a
ADP
gallaghercontroller_7000_firmware
𝑥
≤ 8.60
ADP
gallaghercontroller_7000_firmware
8.70 ≤
𝑥
< 8.70.240520a
ADP
gallaghercontroller_7000_firmware
8.80 ≤
𝑥
< 8.80.240520a
ADP
gallaghercontroller_7000_firmware
8.90 ≤
𝑥
< 8.90.240520a
ADP
gallaghercontroller_7000_firmware
9.00 ≤
𝑥
< 9.00.240521a
ADP
gallaghercontroller_7000_firmware
9.10 ≤
𝑥
< 9.10.240520a
ADP
Common Weakness Enumeration
References
https://security.gallagher.com/Security-Advisories/CVE-2024-23317
https://security.gallagher.com/Security-Advisories/CVE-2024-23317