Description
A vulnerability in the Incoming Goods Suite allows a user with unprivileged access to the underlying system (e.g. local or via SSH) a privilege escalation to the administrative level due to the usage of component vendor Docker images running with root permissions. Exploiting this misconfiguration leads to the fact that an attacker can gain administrative control. over the whole system.
References (6)
Core 6
Core References
Various Sources x_sick psirt website
https://sick.com/psirt
Various Sources x_sick operating guidelines
https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF
Third Party Advisory, US Government Resource x_ics-cert recommended practices on industrial security
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
Various Sources x_cvss v3.1 calculator
https://www.first.org/cvss/calculator/3.1
Various Sources vendor-advisory
https://www.sick.com/.well-known/csaf/white/2024/sca-2024-0005.pdf
Various Sources vendor-advisory
x_csaf
https://www.sick.com/.well-known/csaf/white/2024/sca-2024-0005.json
Scores
CVSS v3
8.8
EPSS
0.0021
EPSS Percentile
11.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-250
Status
published
Products (1)
SICK AG/SICK Incoming Goods Suite
1.0.0
Published
Nov 19, 2024
Tracked Since
Feb 18, 2026