CVE-2024-37999

A vulnerability has been identified in Medicalis Workflow Orchestrator (All versions). The affected application executes as a trusted account with high privileges and network access. This could allow an authenticated local attacker to escalate privileges.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/shsa-501799	Broken Link
https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/shsa-501799	Broken Link

Configurations

Configuration 1 (hide)

cpe:2.3:a:siemens:medicalis_workflow_orchestrator:*:*:*:*:*:*:*:*

History

21 Nov 2024, 09:24

Type	Values Removed	Values Added
References	~~() https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/shsa-501799 - Broken Link~~	() https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/shsa-501799 - Broken Link

11 Jul 2024, 14:44

Type	Values Removed	Values Added
First Time		Siemens medicalis Workflow Orchestrator Siemens
CPE		cpe:2.3:a:siemens:medicalis_workflow_orchestrator::::::::
CWE		NVD-CWE-noinfo
References	~~() https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/shsa-501799 -~~	() https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/shsa-501799 - Broken Link

08 Jul 2024, 15:49

Type	Values Removed	Values Added
Summary		(es) Se ha identificado una vulnerabilidad en Medicalis Workflow Orchestrator (todas las versiones). La aplicación afectada se ejecuta como una cuenta confiable con altos privilegios y acceso a la red. Esto podría permitir que un atacante local autenticado escale privilegios.

08 Jul 2024, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-07-08 11:15

Updated : 2024-11-21 09:24

NVD link : CVE-2024-37999

Mitre link : CVE-2024-37999

CVE.ORG link : CVE-2024-37999

JSON object : View

Products Affected

siemens

medicalis_workflow_orchestrator

CWE

CWE-282

Improper Ownership Management

NVD-CWE-noinfo

{"id": "CVE-2024-37999", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "productcert@siemens.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "productcert@siemens.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 8.5, "automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "HIGH", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "HIGH", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-07-08T11:15:10.487", "references": [{"url": "https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/shsa-501799", "tags": ["Broken Link"], "source": "productcert@siemens.com"}, {"url": "https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/shsa-501799", "tags": ["Broken Link"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "productcert@siemens.com", "description": [{"lang": "en", "value": "CWE-282"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Medicalis Workflow Orchestrator (All versions). The affected application executes as a trusted account with high privileges and network access. This could allow an authenticated local attacker to escalate privileges."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en Medicalis Workflow Orchestrator (todas las versiones). La aplicaci\u00f3n afectada se ejecuta como una cuenta confiable con altos privilegios y acceso a la red. Esto podr\u00eda permitir que un atacante local autenticado escale privilegios."}], "lastModified": "2024-11-21T09:24:40.843", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:siemens:medicalis_workflow_orchestrator:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B41D288A-8939-4C75-94C9-F199CE866B20"}], "operator": "OR"}]}], "sourceIdentifier": "productcert@siemens.com"}