CVE-2023-6259 - OpenCVE

Insufficiently Protected Credentials, : Improper Access Control vulnerability in Brivo ACS100, ACS300 allows Password Recovery Exploitation, Bypassing Physical Security.This issue affects ACS100, ACS300: from 5.2.4 before 6.2.4.3.

Attack Vector Physical

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
https://sra.io/advisories/
https://support.brivo.com/l/en/article/g82txdwepa-brivo-firmware-release-notes#brivo_firmware_release_6_2_4_3

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: SRA

Published: 2024-02-19T21:28:01.273Z

Updated: 2024-02-21T14:48:34.059Z

Reserved: 2023-11-22T17:16:35.993Z

Link: CVE-2023-6259

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-02-19T22:15:48.253

Modified: 2024-02-21T15:15:08.987

Link: CVE-2023-6259

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-6259", "assignerOrgId": "57dba5dd-1a03-47f6-8b36-e84e47d335d8", "state": "PUBLISHED", "assignerShortName": "SRA", "dateReserved": "2023-11-22T17:16:35.993Z", "datePublished": "2024-02-19T21:28:01.273Z", "dateUpdated": "2024-02-21T14:48:34.059Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "ACS100, ACS300", "vendor": "Brivo", "versions": [{"lessThan": "6.2.4.3", "status": "affected", "version": "5.2.4", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Gabe Siftar (SRA)"}, {"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Krzysztof Grochal (SRA)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Insufficiently Protected Credentials, : Improper Access Control vulnerability in Brivo ACS100, ACS300 allows Password Recovery Exploitation, Bypassing Physical Security.<p>This issue affects ACS100, ACS300: from 5.2.4 before 6.2.4.3.</p>"}], "value": "Insufficiently Protected Credentials, : Improper Access Control vulnerability in Brivo ACS100, ACS300 allows Password Recovery Exploitation, Bypassing Physical Security.This issue affects ACS100, ACS300: from 5.2.4 before 6.2.4.3.\n\n"}], "impacts": [{"capecId": "CAPEC-50", "descriptions": [{"lang": "en", "value": "CAPEC-50 Password Recovery Exploitation"}]}, {"capecId": "CAPEC-390", "descriptions": [{"lang": "en", "value": "CAPEC-390 Bypassing Physical Security"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "57dba5dd-1a03-47f6-8b36-e84e47d335d8", "shortName": "SRA", "dateUpdated": "2024-02-21T14:48:34.059Z"}, "references": [{"url": "https://sra.io/advisories/"}, {"url": "https://support.brivo.com/l/en/article/g82txdwepa-brivo-firmware-release-notes#brivo_firmware_release_6_2_4_3"}], "source": {"discovery": "UNKNOWN"}, "title": "Local Access to Sensitive Data in Brivo ACS100 and ACS300 ", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}