CVE-2023-5101 - OpenCVE

Files or Directories Accessible to External Parties in RDT400 in SICK APU allows an unprivileged remote attacker to download various files from the server via HTTP requests.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Sick	Apu0200 Firmware Apu0200

Configuration 1 [-]

AND

cpe:2.3:o:sick:apu0200_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:sick:apu0200:-:*:*:*:*:*:*:*

References

Link	Resource
https://sick.com/.well-known/csaf/white/2023/sca-2023-0010.json	Vendor Advisory
https://sick.com/.well-known/csaf/white/2023/sca-2023-0010.pdf	Vendor Advisory
https://sick.com/psirt	Product

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: SICK AG

Published: 2023-10-09T12:07:13.545Z

Updated: 2023-10-09T12:07:13.545Z

Reserved: 2023-09-21T07:10:37.521Z

Link: CVE-2023-5101

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-10-09T13:15:10.557

Modified: 2023-10-11T18:41:21.633

Link: CVE-2023-5101

JSON object: View

Redhat Information

No data.

CWE

CWE-552

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-5101", "assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988", "state": "PUBLISHED", "assignerShortName": "SICK AG", "dateReserved": "2023-09-21T07:10:37.521Z", "datePublished": "2023-10-09T12:07:13.545Z", "dateUpdated": "2023-10-09T12:07:13.545Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "APU0200", "vendor": "SICK AG", "versions": [{"status": "affected", "version": "all versions"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nFiles or Directories Accessible to External Parties in RDT400 in SICK APU allows an\nunprivileged remote attacker to download various files from the server via HTTP requests.\n\n"}], "value": "\nFiles or Directories Accessible to External Parties in RDT400 in SICK APU allows an\nunprivileged remote attacker to download various files from the server via HTTP requests.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-552", "description": "CWE-552 Files or Directories Accessible to External Parties", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988", "shortName": "SICK AG", "dateUpdated": "2023-10-09T12:07:13.545Z"}, "references": [{"tags": ["issue-tracking"], "url": "https://sick.com/psirt"}, {"tags": ["vendor-advisory"], "url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0010.pdf"}, {"tags": ["x_csaf"], "url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0010.json"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n\n\nThe recommended solution is to update the image to a version >= 4.0.0.6 as soon as possible.<br>"}], "value": "\n\n\nThe recommended solution is to update the image to a version >= 4.0.0.6 as soon as possible.\n"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:sick:apu0200_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B2A3C873-A9B5-4AF8-8703-F00233E56A5E", "versionEndExcluding": "4.0.0.6", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:sick:apu0200:-:*:*:*:*:*:*:*", "matchCriteriaId": "0E32F3FD-FB2B-4F73-AD20-8AB98B02FCF1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "\nFiles or Directories Accessible to External Parties in RDT400 in SICK APU allows an\nunprivileged remote attacker to download various files from the server via HTTP requests.\n\n"}, {"lang": "es", "value": "Archivos o directorios accesibles a partes externas en RDT400 en SICK APU permiten a un atacante remoto sin privilegios descargar varios archivos desde el servidor a trav\u00e9s de solicitudes HTTP."}], "id": "CVE-2023-5101", "lastModified": "2023-10-11T18:41:21.633", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "psirt@sick.de", "type": "Secondary"}]}, "published": "2023-10-09T13:15:10.557", "references": [{"source": "psirt@sick.de", "tags": ["Vendor Advisory"], "url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0010.json"}, {"source": "psirt@sick.de", "tags": ["Vendor Advisory"], "url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0010.pdf"}, {"source": "psirt@sick.de", "tags": ["Product"], "url": "https://sick.com/psirt"}], "sourceIdentifier": "psirt@sick.de", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-552"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-552"}], "source": "psirt@sick.de", "type": "Secondary"}]}