The affected products and versions present a vulnerability due to a vulnerable integrated software component the docker runc <= 1.1.11. In the worst-case scenario, the integrated Docker container environment could be compromised, potentially enabling the execution of arbitrary code within the Docker environment or neighboring Docker containers if dockerfiles or Docker images from untrusted sources are utilized.

It's crucial to emphasize that while the Docker environment is vulnerable, the host operating system remains
unharmed due to its isolation from the Docker environment within the ads-tec products.

Using Docker images or Dockerfiles from untrusted sources poses a risk. This advice is especially pertinent for Docker use in productive operational technology (OT) environments, and it's our expectation that our customers adhere strictly to this guidance anyway.



CVE-2024-24781: If the above mentioned products are loaded with Wire speed (1Gbit/s or 100Mbit/s) the resources of the Ethernet-Controller are exhausted and it must be reset by the system automatically after load disappears. This leads to an interruption (DoS) of all other communications of the affected Ethernet-Controller.

CVE-2024-24782: Most of the above mentioned products offer a VLAN feature. This helps to segregate ports of the switch included in each of the products. VLAN are meant to segregate networks. Furthermore a MAC-learning mode called “conservative” is provided. In this mode the ARP table is updated earliest within 1..2 times ARP aging time.

X-SB 01 (985210207) is not affected by this CVE.





The PITreader product family is using the 3rd -party-component uC/HTTP to implement the web server functionality. uC/HTTP is affected by multiple vulnerabilities. These vulnerabilities may enable an attacker to gain full control over the system.



Pilz: Vulnerability in PASvisu and PMI v8xx

Multiple Pilz products are affected by stored cross-site-scripting (XSS) vulnerabilities. The
vulnerabilities may enable an attacker to gain full control over the system.

Update: 27.02.2024 Fix typo in advisory title



The TRUMPF CAD/CAM software tools mentioned above use the vulnerable CodeMeter Runtime (up to version 7.60d) application from WIBU-SYSTEMS AG to manage licenses within the component TRUMPF License Expert. This CodeMeter application contains new vulnerabilities, which may enable an attacker to gain full access to the server or workstation on which the TRUMPF License Expert has been installed on. A new version of the TRUMPF License Expert which fixes these vulnerabilities is available.



Multiple vulnerabilities in the included versions of OpenSSL can lead to different problems, including crashes of the OpenSSL modules (leading to a Denial of Service) or leakage of plaintext. These underlying vulnerabilities can be fixed by installing a software update provided by TRUMPF.



The TRUMPF products that are listed above contain a vulnerable version of Notepad++. This version is
being installed for support purposes only, so there is no danger of triggering this vulnerability in
Notepad++ during normal operations. Nevertheless, TRUMPF recommends mitigation of this
vulnerability.
When editing a specially crafted file containing UTF-8 characters in Notepad++ (Versions up to 8.5.6) and converting that file to UTF-16, a buffer overflow vulnerability can be exploited that allows an attacker to execute arbitrary code to take over the whole system.



Feeds

By Vendor

Archive

2024
2023
2022
2021
2020
2019
2018
2017
2014

Legend

(Scoring for CVSS 2.0,3.0+3.1)
None
No CVE available
Low
0.1 <= 3.9
Medium
4.0 <= 6.9
High
7.0 <= 8.9
Critical
9.0 <= 10.0