CVE-2023-29413 - OpenCVE

A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause Denial-of-Service when accessed by an unauthenticated user on the Schneider UPS Monitor service.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Microsoft	Windows 11 Windows 10 Windows Server 2022 Windows Server 2019 Windows Server 2016
Schneider-electric	Easy Ups Online Monitoring Software Apc Easy Ups Online Monitoring Software

Configuration 1 [-]

AND

cpe:2.3:a:schneider-electric:apc_easy_ups_online_monitoring_software:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:microsoft:windows_10:-:::::::*
	cpe:2.3:o:microsoft:windows_11:-::::::-:
	cpe:2.3:o:microsoft:windows_server_2016:-:::::::*
	cpe:2.3:o:microsoft:windows_server_2019:-:::::::*
	cpe:2.3:o:microsoft:windows_server_2022:-:::::::*

Configuration 2 [-]

AND

cpe:2.3:a:schneider-electric:easy_ups_online_monitoring_software:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:microsoft:windows_10:-:::::::*
	cpe:2.3:o:microsoft:windows_11:-::::::-:
	cpe:2.3:o:microsoft:windows_server_2016:-:::::::*
	cpe:2.3:o:microsoft:windows_server_2019:-:::::::*
	cpe:2.3:o:microsoft:windows_server_2022:-:::::::*

References

Link	Resource
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-101-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-101-04.pdf	Mitigation Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: schneider

Published: 2023-04-18T20:50:53.336Z

Updated: 2023-04-18T20:50:53.336Z

Reserved: 2023-04-05T20:35:41.367Z

Link: CVE-2023-29413

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-04-18T21:15:09.523

Modified: 2023-04-28T13:26:11.537

Link: CVE-2023-29413

JSON object: View

Redhat Information

No data.

CWE

CWE-306

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-29413", "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "state": "PUBLISHED", "assignerShortName": "schneider", "dateReserved": "2023-04-05T20:35:41.367Z", "datePublished": "2023-04-18T20:50:53.336Z", "dateUpdated": "2023-04-18T20:50:53.336Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "APC Easy UPS Online Monitoring Software (Windows 10, 11 Windows Server 2016, 2019, 2022)", "vendor": "Schneider Electric", "versions": [{"lessThanOrEqual": "prior", "status": "affected", "version": "V2.5-GA-01-22320", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Schneider Electric Easy UPS Online Monitoring Software (Windows 10, 11 Windows Server 2016, 2019, 2022)", "vendor": "Schneider Electric", "versions": [{"lessThanOrEqual": "prior", "status": "affected", "version": "V2.5-GS-01-22320", "versionType": "custom"}]}], "datePublic": "2023-04-11T07:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nA CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause\nDenial-of-Service when accessed by an unauthenticated user on the Schneider UPS Monitor\nservice. \n\n \n\n\n\n"}], "value": "\nA CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause\nDenial-of-Service when accessed by an unauthenticated user on the Schneider UPS Monitor\nservice. \n\n \n\n\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider", "dateUpdated": "2023-04-18T20:50:53.336Z"}, "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-101-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-101-04.pdf"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:apc_easy_ups_online_monitoring_software:*:*:*:*:*:*:*:*", "matchCriteriaId": "D52617D6-0503-4B6B-A59D-441E0D1F4296", "versionEndIncluding": "2.5-ga-01-22320", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "matchCriteriaId": "21540673-614A-4D40-8BD7-3F07723803B0", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:-:*", "matchCriteriaId": "647F2145-B063-43EA-8045-32D3B4D893F6", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "matchCriteriaId": "041FF8BA-0B12-4A1F-B4BF-9C4F33B7C1E7", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "matchCriteriaId": "DB79EE26-FC32-417D-A49C-A1A63165A968", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "matchCriteriaId": "821614DD-37DD-44E2-A8A4-FE8D23A33C3C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:easy_ups_online_monitoring_software:*:*:*:*:*:*:*:*", "matchCriteriaId": "1849E03C-445A-4225-AECD-B4A7502F5F3B", "versionEndIncluding": "2.5-gs-01-22320", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "matchCriteriaId": "21540673-614A-4D40-8BD7-3F07723803B0", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:-:*", "matchCriteriaId": "647F2145-B063-43EA-8045-32D3B4D893F6", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "matchCriteriaId": "041FF8BA-0B12-4A1F-B4BF-9C4F33B7C1E7", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "matchCriteriaId": "DB79EE26-FC32-417D-A49C-A1A63165A968", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "matchCriteriaId": "821614DD-37DD-44E2-A8A4-FE8D23A33C3C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "\nA CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause\nDenial-of-Service when accessed by an unauthenticated user on the Schneider UPS Monitor\nservice. \n\n \n\n\n\n"}], "id": "CVE-2023-29413", "lastModified": "2023-04-28T13:26:11.537", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "cybersecurity@se.com", "type": "Secondary"}]}, "published": "2023-04-18T21:15:09.523", "references": [{"source": "cybersecurity@se.com", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-101-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-101-04.pdf"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "cybersecurity@se.com", "type": "Primary"}]}