github - ghsa-q53x-4f23-hq3j

ghsa-q53x-4f23-hq3j

Vulnerability from github

Published

2023-04-18 18:30

Modified

2024-04-04 03:32

Severity ?

8.3 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

Details

A CWE-287: Improper Authentication vulnerability exists that could allow a device to be compromised when a key of less than seven digits is entered and the attacker has access to the KNX installation.

Show details on source website

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-25556"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-18T18:15:07Z",
    "severity": "HIGH"
  },
  "details": "\nA CWE-287: Improper Authentication vulnerability exists that could allow a device to be\ncompromised when a key of less than seven digits is entered and the attacker has access to the\nKNX installation.\n\n",
  "id": "GHSA-q53x-4f23-hq3j",
  "modified": "2024-04-04T03:32:12Z",
  "published": "2023-04-18T18:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25556"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-045-03\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-045-03.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2023-25556 (GCVE-0-2023-25556)

Vulnerability from cvelistv5

Published

2023-04-18 17:03

Modified

2025-02-05 21:15

Severity ?

8.3 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

CWE

CWE-287 - Improper Authentication

Summary

A CWE-287: Improper Authentication vulnerability exists that could allow a device to be compromised when a key of less than seven digits is entered and the attacker has access to the KNX installation.

References

URL

Tags

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-045-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-045-03.pdf

Impacted products

Vendor

Product

Version

Schneider Electric

Merten INSTABUS Tastermodul 1fach System M 625199

Version: Program Version 1.0

	Schneider Electric	Merten INSTABUS Tastermodul 2fach System M 625299	Version: Program Version 1.0
	Schneider Electric	Merten Tasterschnittstelle 4fach plus 670804	Version: Program Version 1.0 Version: Program Version 1.2
	Schneider Electric	Merten KNX ARGUS 180/2,20M UP SYSTEM 631725	Version: Program Version 1.0
	Schneider Electric	Merten Jalousie-/Schaltaktor REG-K/8x/16x/10 m. HB 649908	Version: Program Version 1.0
	Schneider Electric	Merten KNX Uni-Dimmaktor LL REG-K/2x230/300 W MEG6710-0002	Version: Program Version 1.0 Version: Program Version 1.1
	Schneider Electric	Merten KNX Schaltakt.2x6A UP m.2 Eing. MEG6003-0002	Version: Program Version 0.1

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T11:25:19.293Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-045-03\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-045-03.pdf"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-25556",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-05T21:15:37.967798Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-05T21:15:50.417Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Merten INSTABUS Tastermodul 1fach System M 625199",
          "vendor": "Schneider Electric",
          "versions": [
            {
              "status": "affected",
              "version": "Program Version 1.0"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Merten INSTABUS Tastermodul 2fach System M 625299",
          "vendor": "Schneider Electric",
          "versions": [
            {
              "status": "affected",
              "version": "Program Version 1.0"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Merten Tasterschnittstelle 4fach plus 670804",
          "vendor": "Schneider Electric",
          "versions": [
            {
              "status": "affected",
              "version": "Program Version 1.0"
            },
            {
              "status": "affected",
              "version": "Program Version 1.2"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Merten KNX ARGUS 180/2,20M UP SYSTEM 631725",
          "vendor": "Schneider Electric",
          "versions": [
            {
              "status": "affected",
              "version": "Program Version 1.0"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Merten Jalousie-/Schaltaktor REG-K/8x/16x/10 m. HB 649908",
          "vendor": "Schneider Electric",
          "versions": [
            {
              "status": "affected",
              "version": "Program Version 1.0"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Merten KNX Uni-Dimmaktor LL REG-K/2x230/300 W MEG6710-0002",
          "vendor": "Schneider Electric",
          "versions": [
            {
              "status": "affected",
              "version": "Program Version 1.0"
            },
            {
              "status": "affected",
              "version": "Program Version 1.1"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Merten KNX Schaltakt.2x6A UP m.2 Eing. MEG6003-0002",
          "vendor": "Schneider Electric",
          "versions": [
            {
              "status": "affected",
              "version": "Program Version 0.1"
            }
          ]
        }
      ],
      "datePublic": "2023-02-14T08:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\nA CWE-287: Improper Authentication vulnerability exists that could allow a device to be\ncompromised when a key of less than seven digits is entered and the attacker has access to the\nKNX installation.\n\n"
            }
          ],
          "value": "\nA CWE-287: Improper Authentication vulnerability exists that could allow a device to be\ncompromised when a key of less than seven digits is entered and the attacker has access to the\nKNX installation.\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287 Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-18T17:03:07.661Z",
        "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
        "shortName": "schneider"
      },
      "references": [
        {
          "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-045-03\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-045-03.pdf"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
    "assignerShortName": "schneider",
    "cveId": "CVE-2023-25556",
    "datePublished": "2023-04-18T17:03:07.661Z",
    "dateReserved": "2023-02-07T17:00:03.780Z",
    "dateUpdated": "2025-02-05T21:15:50.417Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.