Unauthenticated Remote Attacker Could Gain Knowledge of Current Cycle Times and Communication Load
CVE-2024-46887
5.3MEDIUM
Key Information
- Vendor
- Siemens
- Status
- Simatic Drive Controller Cpu 1504d Tf
- Simatic Drive Controller Cpu 1507d Tf
- Simatic Et 200sp Open Controller Cpu 1515sp Pc2 (incl. Siplus Variants)
- Simatic S7-1500 Cpu 1510sp F-1 Pn
- Vendor
- CVE Published:
- 8 October 2024
Summary
The web server of affected devices do not properly authenticate user request to the '/ClientArea/RuntimeInfoData.mwsl' endpoint. This could allow an unauthenticated remote attacker to gain knowledge about current actual and configured maximum cycle times as well as about configured maximum communication load.
Affected Version(s)
SIMATIC Drive Controller CPU 1504D TF < 0
SIMATIC Drive Controller CPU 1507D TF < 0
SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) < 0
CVSS V3.1
Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published.
Vulnerability Reserved.
Collectors
NVD DatabaseMitre Database