#VU95999 Use of cache containing sensitive information in SINEC Traffic Analyzer - CVE-2024-41906

Cybersecurity Help s.r.o.

Published: 2024-08-14

Vulnerability identifier: #VU95999

Vulnerability risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-41906

CWE-ID: CWE-524

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
SINEC Traffic Analyzer
Hardware solutions / Firmware

Vendor: Siemens

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the affected application does not properly handle cacheable HTTP responses in the web service. A remote attacker can read and modify data stored in the local cache.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

SINEC Traffic Analyzer: before 2.0

External links
https://cert-portal.siemens.com/productcert/html/ssa-716317.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerability in Siemens SINEC Traffic Analyzer