CVE-2023-5391 - OpenCVE

A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to execute arbitrary code on the targeted system by sending a specifically crafted packet to the application.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Schneider-electric	Ecostruxure Power Operation With Advanced Reports Ecostruxure Power Scada Operation With Advanced Reports Ecostruxure Power Monitoring Expert

Configuration 1 [-]

OR	cpe:2.3:a:schneider-electric:ecostruxure_power_monitoring_expert::::::::
	cpe:2.3:a:schneider-electric:ecostruxure_power_operation_with_advanced_reports::::::::
	cpe:2.3:a:schneider-electric:ecostruxure_power_scada_operation_with_advanced_reports::::::::

References

Link	Resource
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-283-02.pdf	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: schneider

Published: 2023-10-04T18:13:00.746Z

Updated: 2023-10-11T08:25:11.967Z

Reserved: 2023-10-04T17:50:08.965Z

Link: CVE-2023-5391

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-10-04T19:15:10.777

Modified: 2024-02-01T00:49:46.897

Link: CVE-2023-5391

JSON object: View

Redhat Information

No data.

CWE

CWE-502

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-5391", "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "state": "PUBLISHED", "assignerShortName": "schneider", "dateReserved": "2023-10-04T17:50:08.965Z", "datePublished": "2023-10-04T18:13:00.746Z", "dateUpdated": "2023-10-11T08:25:11.967Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "EcoStruxure Power Monitoring Expert", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "All versions \u2013 prior to application of Hotfix-145271"}]}, {"defaultStatus": "unaffected", "product": "EcoStruxure Power Operation (EPO) with Advanced Reports", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "All versions \u2013 prior to application of Hotfix-145271"}]}, {"defaultStatus": "unaffected", "product": "EcoStruxure Power SCADA Operation with Advanced Reports", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "All versions \u2013 prior to application of Hotfix-145271"}]}], "datePublic": "2023-10-10T17:55:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n\n\nA CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to\nexecute arbitrary code on the targeted system by sending a specifically crafted packet to the\napplication.\n\n\n\n<br>"}], "value": "\n\n\nA CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to\nexecute arbitrary code on the targeted system by sending a specifically crafted packet to the\napplication.\n\n\n\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider", "dateUpdated": "2023-10-11T08:25:11.967Z"}, "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-283-02.pdf"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_power_monitoring_expert:*:*:*:*:*:*:*:*", "matchCriteriaId": "B682ECD9-985F-4906-B936-DD388165063A", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_power_operation_with_advanced_reports:*:*:*:*:*:*:*:*", "matchCriteriaId": "8A9E16D1-278E-4E0B-A604-13096B7A9029", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_power_scada_operation_with_advanced_reports:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC4A71CF-78EA-43F9-B7BA-9ED3C7816173", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\n\n\nA CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to\nexecute arbitrary code on the targeted system by sending a specifically crafted packet to the\napplication.\n\n\n\n\n"}, {"lang": "es", "value": "CWE-502: Existe una vulnerabilidad deserializaci\u00f3n de datos no confiables que podr\u00eda permitir a un atacante ejecutar c\u00f3digo arbitrario en el sistema objetivo enviando un paquete espec\u00edficamente manipulado a la aplicaci\u00f3n."}], "id": "CVE-2023-5391", "lastModified": "2024-02-01T00:49:46.897", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "cybersecurity@se.com", "type": "Secondary"}]}, "published": "2023-10-04T19:15:10.777", "references": [{"source": "cybersecurity@se.com", "tags": ["Vendor Advisory"], "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-283-02.pdf"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "cybersecurity@se.com", "type": "Primary"}]}