CVE-2024-23317

Severity: Medium CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

Components affected: Controller 6000 and Controller 7000

Reported by: Gallagher Internal

Active exploitation of vulnerability*: No

Description of vulnerability: 
External Control of File Name or Path (CWE-73) in the Controller 6000 and Controller 7000 allows an attacker with local access to the Controller to perform arbitrary code execution. 

This issue affects: 9.10 prior to vCR9.10.240520a (distributed in 9.10.1268(MR1)), 9.00 prior to vCR9.00.240521a (distributed in 9.00.1990(MR3)), 8.90 prior to vCR8.90.240520a (distributed in 8.90.1947 (MR4)), 8.80 prior to vCR8.80.240520a (distributed in 8.80.1726 (MR5)), 8.70 prior to vCR8.70.240520a (distributed in 8.70.2824 (MR7)), all versions of 8.60 and prior.

Mitigation: Exploitation of the vulnerability would require local controller access and specialist knowledge or tools.

Maintenance releases are now available for:

•  v9.10 - v9.10.1268(MR1)
• v9.00 - v9.00.1990(MR3)
• v8.90 - v8.90.1947(MR4)
• v8.80 - v8.80.1726(MR5)
• v8.70 - v8.70.2824(MR7)

Important notes:

*This indicates whether Gallagher are aware of this being actively exploited against customer sites at the time of publication.