Siemens Polarion ALM

Monitor6.5ICS-CERT ICSA-24-137-04May 14, 2024

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

The Apache Lucene based query engine in Siemens Polarion ALM lacks proper access controls for project-level data. An authenticated user can craft queries to retrieve work items and project information from projects outside their assigned scope, bypassing intended access restrictions. The vulnerability affects all Polarion ALM versions prior to 2404.0.

What this means

What could happen

An authenticated user with access to Polarion ALM could query and view project data and work items they should not have permission to see, potentially exposing sensitive project information like requirements, defects, or design details across the organization.

Who's at risk

Organizations using Siemens Polarion ALM for application lifecycle management, requirements traceability, or product development documentation. This affects IT teams managing development tools and any users with Polarion access who may be exposed to unauthorized data disclosure.

How it could be exploited

An attacker with valid Polarion ALM credentials could craft queries using the Apache Lucene query engine to bypass project-level access controls and retrieve items from projects outside their assigned scope. This requires existing authentication but no special privileges.

Prerequisites

Valid Polarion ALM user credentials
Network access to Polarion ALM web interface
Siemens Polarion ALM version prior to 2404.0

Remotely exploitableRequires authentication but low complexity exploitationAffects confidentiality of project dataCross-project data leakage possible

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Polarion ALM<V2404.02404.0

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDImplement network access controls to limit Polarion ALM exposure to authorized users only; use firewall rules to restrict access to the application

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Siemens Polarion ALM to version 2404.0 or later

Long-term hardening

0/2

HARDENINGSegment Polarion ALM and related development infrastructure from general business networks

HARDENINGReview user access permissions and project assignments in Polarion ALM to ensure least-privilege access

CVEs (1)

CVE-2024-33647

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9ef9185d-8bd3-4e10-8473-4e4a6eb2b744