CVE-2024-12056

Client Secret not checked with OAuth Password grant type

Description

The Client secret is not checked when using the OAuth Password grant type. By exploiting this vulnerability, an attacker could connect to a web server using a client application not explicitly authorized as part of the OAuth deployment. Exploitation requires valid credentials and does not permit the attacker to bypass user privileges.

Remediation

Solution:

  • Uninstall the Web Server: The OAuth web service is part of the Web Server for PcVue. If your system does not require the use of the Web & Mobile features, you should make sure not to install them. Update the Web Deployment Console (WDC) and re deploy the Web Server: Install a patched release of product, including the Web Deployment Console (WDC) and use the WDC to re-deploy the Web Server. Available patches: Fixed in: * PcVue 16.2.2

Category

2.3
CVSS
Severity: Low
CVSS 4.0 •
EPSS 0.07%
Vendor Advisory pcvue.com
Affected: arcinfo PcVue
Published at:
Updated at:

References

Link Tags
https://www.pcvue.com/security/security/#SB2024-4 vendor advisory

Frequently Asked Questions

What is the severity of CVE-2024-12056?
CVE-2024-12056 has been scored as a low severity vulnerability.
How to fix CVE-2024-12056?
To fix CVE-2024-12056: Uninstall the Web Server: The OAuth web service is part of the Web Server for PcVue. If your system does not require the use of the Web & Mobile features, you should make sure not to install them. Update the Web Deployment Console (WDC) and re deploy the Web Server: Install a patched release of product, including the Web Deployment Console (WDC) and use the WDC to re-deploy the Web Server. Available patches: Fixed in: * PcVue 16.2.2
Is CVE-2024-12056 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-12056 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-12056?
CVE-2024-12056 affects arcinfo PcVue.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.