CVE-2023-2306 - Vulnerability Details - OpenCVE

Qognify NiceVision versions 3.1 and prior are vulnerable to exposing sensitive information using hard-coded credentials. With these credentials an attacker can retrieve information about the cameras, user information, and modify database records.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00107.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Qognify	Nicevision

Configuration 1 [-]

cpe:2.3:a:qognify:nicevision:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-33812	Qognify NiceVision versions 3.1 and prior are vulnerable to exposing sensitive information using hard-coded credentials. With these credentials an attacker can retrieve information about the cameras, user information, and modify database records.

Fixes

Solution

Qognify has released NiceVision v3.2 UP2 HF2. The latest release is available to customers who have an active SMA (Service Maintenance Agreement) with Qognify. For more information contact Qognify https://www.qognify.com/contact-us/ .

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-23-278-02

History

Thu, 16 Jan 2025 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2023-10-05T16:46:42.171Z

Updated: 2025-01-16T21:29:36.919Z

Reserved: 2023-04-26T15:22:33.977Z

Link: CVE-2023-2306

Vulnrichment

Updated: 2024-08-02T06:19:14.612Z

NVD

Status : Modified

Published: 2023-10-05T17:15:11.373

Modified: 2024-11-21T07:58:21.180

Link: CVE-2023-2306

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-2306", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2023-04-26T15:22:33.977Z", "datePublished": "2023-10-05T16:46:42.171Z", "dateUpdated": "2025-01-16T21:29:36.919Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "NiceVision", "vendor": "Qognify", "versions": [{"lessThanOrEqual": "3.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Roni Gavrilov of OTORIO reported this vulnerability to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<p></p>\n\n<span style=\"background-color: rgb(255, 255, 255);\">Qognify NiceVision versions 3.1 and prior are vulnerable to exposing sensitive information using hard-coded credentials. With these credentials an attacker can retrieve information about the cameras, user information, and modify database records.</span>\n\n<br>\n\n"}], "value": "\n\n\n\n\nQognify NiceVision versions 3.1 and prior are vulnerable to exposing sensitive information using hard-coded credentials. With these credentials an attacker can retrieve information about the cameras, user information, and modify database records.\n\n\n\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2023-10-05T16:46:42.171Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-278-02"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<p>Qognify has released NiceVision v3.2 UP2 HF2. The latest release is available to customers who have an active SMA (Service Maintenance Agreement) with Qognify.</p><p>For more information contact <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.qognify.com/contact-us/\">Qognify</a>.</p>\n\n<br>"}], "value": "\nQognify has released NiceVision v3.2 UP2 HF2. The latest release is available to customers who have an active SMA (Service Maintenance Agreement) with Qognify.\n\nFor more information contact Qognify https://www.qognify.com/contact-us/ .\n\n\n\n\n"}], "source": {"discovery": "UNKNOWN"}, "title": "Qognify NiceVision Use of Hard-coded Credentials", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:19:14.612Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-278-02", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-16T21:22:50.663812Z", "id": "CVE-2023-2306", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-16T21:29:36.919Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-278-02", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:19:14.612Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-2306", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-01-16T21:22:50.663812Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-16T21:22:52.143Z"}}], "cna": {"title": "Qognify NiceVision Use of Hard-coded Credentials", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Roni Gavrilov of OTORIO reported this vulnerability to CISA."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Qognify", "product": "NiceVision", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "3.1"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "\nQognify has released NiceVision v3.2 UP2 HF2. The latest release is available to customers who have an active SMA (Service Maintenance Agreement) with Qognify.\n\nFor more information contact Qognify https://www.qognify.com/contact-us/ .\n\n\n\n\n", "supportingMedia": [{"type": "text/html", "value": "\n\n<p>Qognify has released NiceVision v3.2 UP2 HF2. The latest release is available to customers who have an active SMA (Service Maintenance Agreement) with Qognify.</p><p>For more information contact <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.qognify.com/contact-us/\">Qognify</a>.</p>\n\n<br>", "base64": false}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-278-02"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "\n\n\n\n\nQognify NiceVision versions 3.1 and prior are vulnerable to exposing sensitive information using hard-coded credentials. With these credentials an attacker can retrieve information about the cameras, user information, and modify database records.\n\n\n\n\n", "supportingMedia": [{"type": "text/html", "value": "\n\n<p></p>\n\n<span style=\"background-color: rgb(255, 255, 255);\">Qognify NiceVision versions 3.1 and prior are vulnerable to exposing sensitive information using hard-coded credentials. With these credentials an attacker can retrieve information about the cameras, user information, and modify database records.</span>\n\n<br>\n\n", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2023-10-05T16:46:42.171Z"}}}, "cveMetadata": {"cveId": "CVE-2023-2306", "state": "PUBLISHED", "dateUpdated": "2025-01-16T21:29:36.919Z", "dateReserved": "2023-04-26T15:22:33.977Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2023-10-05T16:46:42.171Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qognify:nicevision:*:*:*:*:*:*:*:*", "matchCriteriaId": "6354A1C6-107B-4CC9-BA9F-CEFB5AD4B6C6", "versionEndIncluding": "3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\n\n\n\n\nQognify NiceVision versions 3.1 and prior are vulnerable to exposing sensitive information using hard-coded credentials. With these credentials an attacker can retrieve information about the cameras, user information, and modify database records.\n\n\n\n\n"}, {"lang": "es", "value": "Las versiones 3.1 y anteriores de Qognify NiceVision son vulnerables a la exposici\u00f3n de informaci\u00f3n confidencial mediante credenciales codificadas. Con estas credenciales, un atacante puede recuperar informaci\u00f3n sobre las c\u00e1maras, informaci\u00f3n del usuario y modificar registros de la base de datos."}], "id": "CVE-2023-2306", "lastModified": "2024-11-21T07:58:21.180", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-05T17:15:11.373", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-278-02"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-278-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}