CVE-2024-1624 CRITICAL

CVE-2024-1624: OS Command Injection vulnerability affecting documentation server on certain Releases of 3DEXPERIENCE, SIMULIA Abaqus, SIMULIA Isight and CATIA Composer

Vendor Dassault Systèmes

Product Documentation server

Weakness CWE-78

Published March 1, 2024

Last update August 28, 2024

View on NVD All CVEs

CVSS base score

9.4/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

What the vulnerability does

01Description

An OS Command Injection vulnerability affecting documentation server on 3DEXPERIENCE from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x, SIMULIA Abaqus from Release 2022 through Release 2024, SIMULIA Isight from Release 2022 through Release 2024 and CATIA Composer from Release R2023 through Release R2024. A specially crafted HTTP request can lead to arbitrary command execution.

Key dates

02Disclosure timeline

March 1, 2024 CVE published

August 28, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-1624 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

Identifiers

CVE CVE-2024-1624

CWE CWE-78

CVSS 9.4 / CRITICAL

Affected versions

Vendor Dassault Systèmes

Product Documentation server

Affected ≥ Release 3DEXPERIENCE R2022x Golden and ≤ Release 3DEXPERIENCE R2022x.FP.CFA.2406

Vendor Dassault Systèmes

Product Documentation server

Affected ≥ Release 3DEXPERIENCE R2023x Golden and ≤ Release 3DEXPERIENCE R2023x FP.CFA.2350

Vendor Dassault Systèmes

Product Documentation server

Affected ≥ Release 3DEXPERIENCE R2024x Golden and ≤ Release 3DEXPERIENCE R2024x.FP.CFA.2405

Vendor Dassault Systèmes

Product Documentation server

Affected ≥ SIMULIA Abaqus Release 2022 Golden and ≤ SIMULIA Abaqus Release 2022.FP.CFA.2406

Vendor Dassault Systèmes

Product Documentation server

Affected ≥ SIMULIA Abaqus Release 2023 Golden and ≤ SIMULIA Abaqus Release 2023.FP.CFA.2350

Vendor Dassault Systèmes

Product Documentation server

Affected ≥ SIMULIA Abaqus Release 2024 Golden and ≤ SIMULIA Abaqus Release 2024.FP.CFA.2405

Vendor Dassault Systèmes

Product Documentation server

Affected SIMULIA Isight Release 2022 Golden

Vendor Dassault Systèmes

Product Documentation server

Affected SIMULIA Isight Release 2023 Golden

Vendor Dassault Systèmes

Product Documentation server

Affected SIMULIA Isight Release 2024 Golden

Vendor Dassault Systèmes

Product Documentation server

Affected ≥ CATIA Composer Release R2023 Golden and ≤ CATIA Composer Release R2023 Refresh4

Vendor Dassault Systèmes

Product Documentation server

Affected ≥ CATIA Composer Release R2024 Golden and ≤ CATIA Composer Release R2024 Refresh3

CVE-2024-1624: OS Command Injection vulnerability affecting documentation server on certain Releases of 3DEXPERIENCE, SIMULIA Abaqus, SIMULIA Isight and CATIA Composer

01Description

02Disclosure timeline

03References

04Related CVE