CVE-2023-34429 - OpenCVE

Weintek Weincloud v0.13.6 could allow an attacker to cause a denial-of-service condition for Weincloud by sending a forged JWT token.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Weintek	Weincloud

Configuration 1 [-]

cpe:2.3:a:weintek:weincloud:0.13.6:*:*:*:*:*:*:*

References

Link	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-04	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2023-07-19T21:45:39.544Z

Updated: 2023-07-19T21:45:39.544Z

Reserved: 2023-07-13T15:55:48.894Z

Link: CVE-2023-34429

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-07-19T22:15:11.073

Modified: 2023-07-26T16:17:36.467

Link: CVE-2023-34429

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-34429", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2023-07-13T15:55:48.894Z", "datePublished": "2023-07-19T21:45:39.544Z", "dateUpdated": "2023-07-19T21:45:39.544Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Weincloud", "vendor": "Weintek", "versions": [{"lessThanOrEqual": "0.13.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "\u200bHank Chen (PSIRT and Threat Research of TXOne Networks) reported these vulnerabilities to CISA."}], "datePublic": "2023-07-18T17:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">Weintek Weincloud v<span style=\"background-color: rgb(255, 255, 255);\">0.13.6</span>\n\n \n\n<span style=\"background-color: rgb(255, 255, 255);\">could <span style=\"background-color: rgb(255, 255, 255);\"><span style=\"background-color: rgb(255, 255, 255);\">allow an attacker to cause a denial-of-service condition for Weincloud by sending a forged JWT token.</span>\n\n</span>\n\n</span>\n\n</span>\n\n</span>\n\n"}], "value": "\n\n\nWeintek Weincloud v0.13.6\n\n \n\ncould allow an attacker to cause a denial-of-service condition for Weincloud by sending a forged JWT token.\n\n\n\n\n\n\n\n\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-237", "description": "CWE-237 Improper Handling of Structural Elements", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2023-07-19T21:45:39.544Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-04"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<p></p>\n\n<p>\u200bWeintek has updated their account API to v0.13.8, which has fixed the issue. This fix does not require any action for users.</p><p>\u200b</p>"}], "value": "\n\n\n\n\n\u200bWeintek has updated their account API to v0.13.8, which has fixed the issue. This fix does not require any action for users.\n\n\u200b\n\n"}], "source": {"advisory": "ICSA-23-199-04", "discovery": "EXTERNAL"}, "title": "Weintek Weincloud Improper Handling of Structural Elements", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<p>Additional mitigations are recommended to help reduce risk:</p><ul><li>\u200bLog in on trusted computers if possible. Log out after usage on un-trusted ones.</li><li>\u200bOn the HMIs, if the online services are not used, set to offline mode for EasyAccess 2.0 or Dashboard services using system reserved addresses.</li><li>\u200bRegularly change passwords to reduce risks.</li><li>\u200bMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible- only applicable devices and/or systems have access to the internet.</li></ul>\n\n<br>"}], "value": "\nAdditional mitigations are recommended to help reduce risk:\n\n * \u200bLog in on trusted computers if possible. Log out after usage on un-trusted ones.\n * \u200bOn the HMIs, if the online services are not used, set to offline mode for EasyAccess 2.0 or Dashboard services using system reserved addresses.\n * \u200bRegularly change passwords to reduce risks.\n * \u200bMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible- only applicable devices and/or systems have access to the internet.\n\n\n\n\n\n"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}