CVE-2023-23691 - OpenCVE

Dell EMC PV ME5, versions ME5.1.0.0.0 and ME5.1.0.1.0, contains a Client-side desync Vulnerability. An unauthenticated attacker could potentially exploit this vulnerability to force a victim's browser to desynchronize its connection with the website, typically leading to XSS and DoS.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Dell	Powervault Me5012 Powervault Me5012 Firmware Powervault Me5024 Powervault Me5024 Firmware Powervault Me5084 Powervault Me5084 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:dell:powervault_me5012_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:powervault_me5012:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:dell:powervault_me5024_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:powervault_me5024:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:dell:powervault_me5084_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:powervault_me5084:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.dell.com/support/kbdoc/en-us/000207533/dsa-2023-018-dell-emc-powervault-me5-security-update-for-a-client-desync-attack-vulnerability

History

No history.

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2023-01-20T07:16:02.818Z

Updated: 2024-08-02T10:35:33.687Z

Reserved: 2023-01-17T05:22:17.394Z

Link: CVE-2023-23691

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-01-20T08:15:17.193

Modified: 2023-11-07T04:07:52.270

Link: CVE-2023-23691

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-23691", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "state": "PUBLISHED", "assignerShortName": "dell", "dateReserved": "2023-01-17T05:22:17.394Z", "datePublished": "2023-01-20T07:16:02.818Z", "dateUpdated": "2024-08-02T10:35:33.687Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Dell PowerVault ME5", "vendor": "Dell", "versions": [{"lessThan": "ME5.1.1.0.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "datePublic": "2023-01-17T06:30:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Dell EMC PV ME5, versions ME5.1.0.0.0 and ME5.1.0.1.0, contains a Client-side desync Vulnerability. An unauthenticated attacker could potentially exploit this vulnerability to force a victim's browser to desynchronize its connection with the website, typically leading to XSS and DoS.</span>\n\n"}], "value": "\nDell EMC PV ME5, versions ME5.1.0.0.0 and ME5.1.0.1.0, contains a Client-side desync Vulnerability. An unauthenticated attacker could potentially exploit this vulnerability to force a victim's browser to desynchronize its connection with the website, typically leading to XSS and DoS.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-444", "description": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2023-01-20T07:16:02.818Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.dell.com/support/kbdoc/en-us/000207533/dsa-2023-018-dell-emc-powervault-me5-security-update-for-a-client-desync-attack-vulnerability"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:35:33.687Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://www.dell.com/support/kbdoc/en-us/000207533/dsa-2023-018-dell-emc-powervault-me5-security-update-for-a-client-desync-attack-vulnerability"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:dell:powervault_me5012_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "A02045C1-AF78-47AF-8FD9-2505DA8B1D75", "versionEndExcluding": "me5.1.1.0.5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:dell:powervault_me5012:-:*:*:*:*:*:*:*", "matchCriteriaId": "F5504865-CF03-4B7D-9448-F334044EF4CB", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:dell:powervault_me5024_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "AE7B7D46-01AF-4B50-B7A3-828E135F4A47", "versionEndExcluding": "me5.1.1.0.5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:dell:powervault_me5024:-:*:*:*:*:*:*:*", "matchCriteriaId": "1A402192-509E-4E57-839A-B95F92E22479", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:dell:powervault_me5084_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF402AE5-B146-400D-9FBB-F9CE6E36B5BB", "versionEndExcluding": "me5.1.1.0.5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:dell:powervault_me5084:-:*:*:*:*:*:*:*", "matchCriteriaId": "0B607B99-3C92-4DF1-A12F-03050485EF0A", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "\nDell EMC PV ME5, versions ME5.1.0.0.0 and ME5.1.0.1.0, contains a Client-side desync Vulnerability. An unauthenticated attacker could potentially exploit this vulnerability to force a victim's browser to desynchronize its connection with the website, typically leading to XSS and DoS.\n\n"}], "id": "CVE-2023-23691", "lastModified": "2023-11-07T04:07:52.270", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.3, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security_alert@emc.com", "type": "Secondary"}]}, "published": "2023-01-20T08:15:17.193", "references": [{"source": "security_alert@emc.com", "tags": ["Vendor Advisory"], "url": "https://www.dell.com/support/kbdoc/en-us/000207533/dsa-2023-018-dell-emc-powervault-me5-security-update-for-a-client-desync-attack-vulnerability"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-444"}], "source": "security_alert@emc.com", "type": "Secondary"}]}