{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-12056","assignerOrgId":"87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932","state":"PUBLISHED","assignerShortName":"arcinfo","dateReserved":"2024-12-02T19:57:19.644Z","datePublished":"2024-12-04T14:30:35.838Z","dateUpdated":"2024-12-04T15:00:50.503Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","modules":["OAuth web service"],"product":"PcVue","vendor":"arcinfo","versions":[{"lessThan":"16.2.2","status":"affected","version":"12.0","versionType":"cpe"}]}],"configurations":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Only the Web server where the Web &amp; Mobile features are deployed are affected."}],"value":"Only the Web server where the Web & Mobile features are deployed are affected."}],"datePublic":"2024-12-01T23:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The Client secret is not checked when using the OAuth Password grant type.<br><br>By exploiting this vulnerability, an attacker could connect to a web server using a client application not explicitly authorized as part of the OAuth deployment.<br>Exploitation requires valid credentials and does not permit the attacker to bypass user privileges.<br><p></p><p></p>"}],"value":"The Client secret is not checked when using the OAuth Password grant type.\n\nBy exploiting this vulnerability, an attacker could connect to a web server using a client application not explicitly authorized as part of the OAuth deployment.\nExploitation requires valid credentials and does not permit the attacker to bypass user privileges."}],"exploits":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"No POC available."}],"value":"No POC available."},{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Not known to be exploited."}],"value":"Not known to be exploited."}],"metrics":[{"cvssV4_0":{"Automatable":"NO","Recovery":"USER","Safety":"NOT_DEFINED","attackComplexity":"HIGH","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":2.3,"baseSeverity":"LOW","privilegesRequired":"NONE","providerUrgency":"GREEN","subAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","userInteraction":"PASSIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/AU:N/R:U/RE:M/U:Green","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnerabilityResponseEffort":"MODERATE"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-358","description":"CWE-358 Improperly Implemented Security Check for Standard","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932","shortName":"arcinfo","dateUpdated":"2024-12-04T14:30:35.838Z"},"references":[{"tags":["vendor-advisory"],"url":"https://www.pcvue.com/security/security/#SB2024-4"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<b><u>Uninstall the Web Server:</u></b><br>The OAuth web service is part of the Web Server for PcVue. If your system does not require the use of the Web &amp; Mobile features, you should make sure not to install them. <br><br><b><u>Update the Web Deployment Console (WDC) and re deploy the Web Server:</u></b><br>Install a patched release of product, including the Web Deployment Console (WDC) and use the WDC to re-deploy the Web Server.<br><br><u><b>Available patches:</b></u><br>Fixed in:<br><ul><li>PcVue 16.2.2</li></ul><br>"}],"value":"Uninstall the Web Server:\nThe OAuth web service is part of the Web Server for PcVue. If your system does not require the use of the Web & Mobile features, you should make sure not to install them. \n\nUpdate the Web Deployment Console (WDC) and re deploy the Web Server:\nInstall a patched release of product, including the Web Deployment Console (WDC) and use the WDC to re-deploy the Web Server.\n\nAvailable patches:\nFixed in:\n  *  PcVue 16.2.2"}],"source":{"advisory":"SB2024-4","discovery":"INTERNAL"},"title":"Client Secret not checked with OAuth Password grant type","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-12-04T14:47:29.632279Z","id":"CVE-2024-12056","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-12-04T15:00:50.503Z"}}]}}