CVE-2024-46894
EUVD-2024-4214012.11.2024, 13:15
A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). The affected application does not properly validate authorization of a user to query the "/api/sftp/users" endpoint. This could allow an authenticated remote attacker to gain knowledge about the list of configured users of the SFTP service and also modify that configuration.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| siemens | sinec_ins | 𝑥 ≤ 1.0 |
| siemens | sinec_ins | 1.0:sp1 |
| siemens | sinec_ins | 1.0:sp2 |
| siemens | sinec_ins | 1.0:sp2_update_1 |
| siemens | sinec_ins | 1.0:sp2_update_2 |
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| siemens | sinec_ins | 𝑥 < v1.0_sp2_update_3 | ADP |
Common Weakness Enumeration
- CWE-200 - Exposure of Sensitive Information to an Unauthorized ActorThe product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
- CWE-276 - Incorrect Default PermissionsDuring installation, installed file permissions are set to allow anyone to modify those files.