Summary
SIDIS Prime before V4.0.800 is affected by multiple vulnerabilities in the components OpenSSL, SQLite, and several Node.js packages as described below. Siemens has released a new version of SIDIS Prime and recommends to update to the latest version.
The following versions of Siemens SIDIS Prime are affected:
- SIDIS Prime vers:intdot/<4.0.800 (CVE-2024-29857, CVE-2024-30171, CVE-2024-30172, CVE-2024-41996, CVE-2025-6965, CVE-2025-7783, CVE-2025-9230, CVE-2025-9232, CVE-2025-9670, CVE-2025-12816, CVE-2025-15284, CVE-2025-58751, CVE-2025-58752, CVE-2025-58754, CVE-2025-62522, CVE-2025-64718, CVE-2025-64756, CVE-2025-66030, CVE-2025-66031, CVE-2025-66035, CVE-2025-66412, CVE-2025-69277, CVE-2026-22610)
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 8.7 | Siemens | Siemens SIDIS Prime | Out-of-bounds Read, Observable Discrepancy, Improper Input Validation, Improper Certificate Validation, Numeric Truncation Error, Use of Insufficiently Random Values, Out-of-bounds Write, Inefficient Regular Expression Complexity, Interpretation Conflict, Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Relative Path Traversal, Allocation of Resources Without Limits or Throttling, Improperly Controlled Modification of Object Prototype Attributes (‘Prototype Pollution’), Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’), Integer Overflow or Wraparound, Uncontrolled Recursion, Insertion of Sensitive Information Into Sent Data, Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), Incomplete List of Disallowed Inputs |
Background
- Critical Infrastructure Sectors: Critical Manufacturing
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: Germany
Vulnerabilities
CVE-2024-29857
An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.
Affected Products
Siemens SIDIS Prime
Siemens
SIDIS Prime
known_affected
Remediations
Vendor fix
Update to V4.0.800 or later version
Relevant CWE: CWE-125 Out-of-bounds Read
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVE-2024-30171
An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.
Affected Products
Siemens SIDIS Prime
Siemens
SIDIS Prime
known_affected
Remediations
Vendor fix
Update to V4.0.800 or later version
Releva
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: