Unauthenticated Remote Attacker Could Gain Knowledge of Current Cycle Times and Communication Load

CVE-2024-46887

5.3MEDIUM

Key Information

Vendor
Siemens
Status
Simatic Drive Controller Cpu 1504d Tf
Simatic Drive Controller Cpu 1507d Tf
Simatic Et 200sp Open Controller Cpu 1515sp Pc2 (incl. Siplus Variants)
Simatic S7-1500 Cpu 1510sp F-1 Pn
Vendor
CVE Published:
8 October 2024

Summary

The web server of affected devices do not properly authenticate user request to the '/ClientArea/RuntimeInfoData.mwsl' endpoint. This could allow an unauthenticated remote attacker to gain knowledge about current actual and configured maximum cycle times as well as about configured maximum communication load.

Affected Version(s)

SIMATIC Drive Controller CPU 1504D TF < 0

SIMATIC Drive Controller CPU 1507D TF < 0

SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) < 0

Refferences

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.