CVE-2024-34032
published 2024-05-03CVE-2024-34032: Delta Electronics DIAEnergie is vulnerable to an SQL injection vulnerability that exists in the GetDIACloudList endpoint. An authenticated attacker can exploit…
PriorityP359high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
8.74%
94.5th percentile
Delta Electronics DIAEnergie is vulnerable to an SQL injection vulnerability that exists in the GetDIACloudList endpoint. An authenticated attacker can exploit this issue to potentially compromise the system on which DIAEnergie is deployed.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| delta_electronics | diaenergie | — | — |
| deltaww | diaenergie | — | — |
| github.com | cilium_cilium | >= 1.15.0 < 1.15.8 | 1.15.8 |
| github.com | cilium_cilium | >= 1.16.0 < 1.16.1 | 1.16.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Delta Electronics DIAEnergie
cisa_ics·2024-05-02·CVSS 8.8
[HIGH] Delta Electronics DIAEnergie
ICS Advisory
##
Delta Electronics DIAEnergie
Release DateMay 02, 2024
Alert CodeICSA-24-123-02
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Delta Electronics
- Equipment: DIAEnergie
- Vulnerabilities: SQL Injection, Path Traversal
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an authenticated attacker with limited privileges to escalate privileges, retrieve confidential information, upload arbitrary files, backdoor the application, and compromise the system on which DIAEnergie is deployed.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of Delta Electronics DIAEnergie, an industrial energy management system, are affected:
-
GHSA
Cilium leaks information via incorrect ReferenceGrant update logic in Gateway API
ghsa·2024-08-16
CVE-2024-42486 [MEDIUM] CWE-200 Cilium leaks information via incorrect ReferenceGrant update logic in Gateway API
Cilium leaks information via incorrect ReferenceGrant update logic in Gateway API
### Impact
Due to ReferenceGrant changes not being immediately propagated in Cilium's GatewayAPI controller, Gateway resources are able to access secrets in other namespaces after the associated ReferenceGrant has been revoked. This can lead to Gateways continuing to establish sessions using secrets that they should no longer have access to.
### Patches
This issue was resolved in https://github.com/cilium/cilium/pull/34032.
This issue affects:
- Cilium v1.15 between v1.15.0 and v1.15.7 inclusive
- Cilium v1.16.0
This issue has been patched in:
- Cilium v1.15.8
- Cilium v1.16.1
### Workarounds
Any modification of a related Gateway/HTTPRoute/GRPCRoute/TCPRoute CRD (for example, adding any label to any
GHSA
GHSA-w3w9-w55m-2gwf: Delta Electronics DIAEnergie is vulnerable to an SQL injection vulnerability that exists in the GetDIACloudList endpoint
ghsa_unreviewed·2024-05-03
CVE-2024-34032 [HIGH] CWE-89 GHSA-w3w9-w55m-2gwf: Delta Electronics DIAEnergie is vulnerable to an SQL injection vulnerability that exists in the GetDIACloudList endpoint
Delta Electronics DIAEnergie is vulnerable to an SQL injection vulnerability that exists in the GetDIACloudList endpoint. An authenticated attacker can exploit this issue to potentially compromise the system on which DIAEnergie is deployed.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-05-03
Published