CVE-2023-28901 - OpenCVE

The Skoda Automotive cloud contains a Broken Access Control vulnerability, allowing remote attackers to obtain recent trip data, vehicle mileage, fuel consumption, average and maximum speed, and other information of Skoda Connect service users by specifying an arbitrary vehicle VIN number.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Skoda-auto	Skoda Connect

Configuration 1 [-]

cpe:2.3:a:skoda-auto:skoda_connect:-:*:*:*:*:*:*:*

References

Link	Resource
https://asrg.io/security-advisories/cve-2023-28901/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: ASRG

Published: 2024-01-18T16:27:43.711Z

Updated: 2024-01-18T16:27:43.711Z

Reserved: 2023-03-27T14:51:13.968Z

Link: CVE-2023-28901

JSON object: View

NVD Information

Status : Analyzed

Published: 2024-01-18T17:15:14.003

Modified: 2024-01-26T15:01:23.443

Link: CVE-2023-28901

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-28901", "assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba", "state": "PUBLISHED", "assignerShortName": "ASRG", "dateReserved": "2023-03-27T14:51:13.968Z", "datePublished": "2024-01-18T16:27:43.711Z", "dateUpdated": "2024-01-18T16:27:43.711Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Skoda Connect", "vendor": "Skoda Auto", "versions": [{"status": "affected", "version": "0"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Anna Breeva (PCAutomotive)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The Skoda Automotive cloud contains a Broken Access Control vulnerability, allowing remote attackers to obtain recent trip data, vehicle mileage, fuel consumption, average and maximum speed, and other information of Skoda Connect service users by specifying an arbitrary vehicle VIN number."}], "value": "The Skoda Automotive cloud contains a Broken Access Control vulnerability, allowing remote attackers to obtain recent trip data, vehicle mileage, fuel consumption, average and maximum speed, and other information of Skoda Connect service users by specifying an arbitrary vehicle VIN number."}], "impacts": [{"capecId": "CAPEC-116", "descriptions": [{"lang": "en", "value": "CAPEC-116 Excavation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba", "shortName": "ASRG", "dateUpdated": "2024-01-18T16:27:43.711Z"}, "references": [{"url": "https://asrg.io/security-advisories/cve-2023-28901/"}], "source": {"discovery": "EXTERNAL"}, "title": "Trip Data Disclosure from Backend", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:skoda-auto:skoda_connect:-:*:*:*:*:*:*:*", "matchCriteriaId": "52F83D74-D8F0-4D6C-B382-6E1ECE9373AF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Skoda Automotive cloud contains a Broken Access Control vulnerability, allowing remote attackers to obtain recent trip data, vehicle mileage, fuel consumption, average and maximum speed, and other information of Skoda Connect service users by specifying an arbitrary vehicle VIN number."}, {"lang": "es", "value": "La nube de Skoda Automotive contiene una vulnerabilidad de control de acceso roto, que permite a atacantes remotos obtener datos de viajes recientes, kilometraje del veh\u00edculo, consumo de combustible, velocidad media y m\u00e1xima y otra informaci\u00f3n de los usuarios del servicio Skoda Connect especificando un n\u00famero VIN arbitrario del veh\u00edculo."}], "id": "CVE-2023-28901", "lastModified": "2024-01-26T15:01:23.443", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cve@asrg.io", "type": "Secondary"}]}, "published": "2024-01-18T17:15:14.003", "references": [{"source": "cve@asrg.io", "tags": ["Third Party Advisory"], "url": "https://asrg.io/security-advisories/cve-2023-28901/"}], "sourceIdentifier": "cve@asrg.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "cve@asrg.io", "type": "Secondary"}]}