CVE-2023-0506 - OpenCVE

The web service of ByDemes Group Airspace CCTV Web Service in its 2.616.BY00.11 version, contains a privilege escalation vulnerability, detected in the Camera Control Panel, whose exploitation could allow a low-privileged attacker to gain administrator access.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Bydemes	Airspace Cctv Web Service

Configuration 1 [-]

cpe:2.3:a:bydemes:airspace_cctv_web_service:2.616.by00.11:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/zerolynx/wstg/blob/master/document/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.md	Not Applicable
https://www.incibe.es/en/incibe-cert/notices/aviso/inadequate-access-control-demes-group-products	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: INCIBE

Published: 2023-10-03T13:12:51.965Z

Updated: 2023-10-03T13:12:51.965Z

Reserved: 2023-01-25T10:12:33.756Z

Link: CVE-2023-0506

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-10-03T14:15:10.473

Modified: 2023-10-05T01:00:10.663

Link: CVE-2023-0506

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-0506", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2023-01-25T10:12:33.756Z", "datePublished": "2023-10-03T13:12:51.965Z", "dateUpdated": "2023-10-03T13:12:51.965Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Airspace CCTV Web Service", "vendor": "ByDemes Group", "versions": [{"status": "affected", "version": "2.616.BY00.11"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Camilo Andr\u00e9s Bruna"}], "datePublic": "2023-06-28T10:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The web service of ByDemes Group Airspace CCTV Web Service in its 2.616.BY00.11 version, contains a privilege escalation vulnerability, detected in the Camera Control Panel, whose exploitation could allow a low-privileged attacker to gain administrator access."}], "value": "The web service of ByDemes Group Airspace CCTV Web Service in its 2.616.BY00.11 version, contains a privilege escalation vulnerability, detected in the Camera Control Panel, whose exploitation could allow a low-privileged attacker to gain administrator access."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2023-10-03T13:12:51.965Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/inadequate-access-control-demes-group-products"}, {"url": "https://github.com/zerolynx/wstg/blob/master/document/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.md"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The reported vulnerability has already been fixed by the By Demes Group security team. Affected users are advised to upgrade to the latest version available. By Demes Group reminds that the affected devices are at end of life and are no longer supported, so it is recommended to upgrade to a newer model."}], "value": "The reported vulnerability has already been fixed by the By Demes Group security team. Affected users are advised to upgrade to the latest version available. By Demes Group reminds that the affected devices are at end of life and are no longer supported, so it is recommended to upgrade to a newer model."}], "source": {"discovery": "UNKNOWN"}, "title": "ByDemes Group Airspace CCTV Web Service Improper Access Control", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bydemes:airspace_cctv_web_service:2.616.by00.11:*:*:*:*:*:*:*", "matchCriteriaId": "BC853657-76B9-41EC-AB9C-4C25D9501D69", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The web service of ByDemes Group Airspace CCTV Web Service in its 2.616.BY00.11 version, contains a privilege escalation vulnerability, detected in the Camera Control Panel, whose exploitation could allow a low-privileged attacker to gain administrator access."}, {"lang": "es", "value": "El servicio web de ByDemes Group Airspace CCTV Web Service en su versi\u00f3n 2.616.BY00.11, contiene una vulnerabilidad de escalada de privilegios, detectada en el Panel de Control de C\u00e1maras, cuya explotaci\u00f3n podr\u00eda permitir a un atacante con pocos privilegios obtener acceso de administrador."}], "id": "CVE-2023-0506", "lastModified": "2023-10-05T01:00:10.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2023-10-03T14:15:10.473", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Not Applicable"], "url": "https://github.com/zerolynx/wstg/blob/master/document/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.md"}, {"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/inadequate-access-control-demes-group-products"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}]}