CVE-2024-42017

Oct. 29, 2024, 3:35 p.m.

10.0
Critical

Description

An issue was discovered in Atos Eviden iCare 2.7.1 through 2.7.11. The application exposes a web interface locally. In the worst-case scenario, if the application is remotely accessible, it allows an attacker to execute arbitrary commands with system privilege on the endpoint hosting the application, without any authentication.

Product(s) Impacted

Product Versions
Atos Eviden iCare
  • 2.7.1
  • 2.7.2
  • 2.7.3
  • 2.7.4
  • 2.7.5
  • 2.7.6
  • 2.7.7
  • 2.7.8
  • 2.7.9
  • 2.7.10
  • 2.7.11

Weaknesses

CWE-306
Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References

https://eviden.com
https://support.bull.com/ols/product/security/psirt/security-bulletins/multiple-critical-vulnerabilities-in-icare-psirt-625-tlp-clear-version-0-7-cve-2024-42017/view

Tags

cve@mitre.org
CWE-306
2024-09-30
CVE-2024-42017

CVSS Score

10.0 / 10

CVSS Data

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH
    • View Vector String

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Date

  • Published: Sept. 30, 2024, 6:15 p.m.
  • Last Modified: Oct. 29, 2024, 3:35 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cve@mitre.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.