PT-2024-8720 · Siemens · Sinec Ins

Published

2024-11-12

Updated

2024-11-12

CVE-2024-46894

CVSS v3.1

6.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions SINEC INS versions prior to V1.0 SP2 Update 3

Description The issue is related to an error in user authorization checking for the "/api/sftp/users" endpoint. This could allow an authenticated remote attacker to gain knowledge about the list of configured users of the SFTP service and also modify that configuration.

Recommendations For versions prior to V1.0 SP2 Update 3, update to V1.0 SP2 Update 3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/api/sftp/users" endpoint until a patch is available. Avoid using the vulnerable endpoint for sensitive operations until the issue is resolved.

Fix

Incorrect Default Permissions

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-276CWE-200

Related Identifiers

BDU:2024-10323

CVE-2024-46894

Affected Products

Sinec Ins

PT-2024-8720 · Siemens · Sinec Ins

CVE-2024-46894

Weakness Enumeration

Related Identifiers

Affected Products

References · 6