CVE-2023-4088 - OpenCVE

Incorrect Default Permissions vulnerability in Mitsubishi Electric Corporation multiple FA engineering software products allows a malicious local attacker to execute a malicious code, resulting in information disclosure, tampering with and deletion, or a denial-of-service (DoS) condition, if the product is installed in a folder other than the default installation folder.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mitsubishielectric	Gx Works3

Configuration 1 [-]

cpe:2.3:a:mitsubishielectric:gx_works3:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://jvn.jp/vu/JVNVU96447193/index.html
https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-03
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-010_en.pdf

History

No history.

MITRE

Status: PUBLISHED

Assigner: Mitsubishi

Published: 2023-09-20T02:26:43.901Z

Updated: 2024-08-02T07:17:12.060Z

Reserved: 2023-08-02T04:52:49.923Z

Link: CVE-2023-4088

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-09-20T03:15:13.687

Modified: 2024-07-04T10:15:03.133

Link: CVE-2023-4088

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-4088", "assignerOrgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", "state": "PUBLISHED", "assignerShortName": "Mitsubishi", "dateReserved": "2023-08-02T04:52:49.923Z", "datePublished": "2023-09-20T02:26:43.901Z", "dateUpdated": "2024-08-02T07:17:12.060Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "GX Works3", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "AL-PCS/WIN-E", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "CPU Module Logging Configuration Tool", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "EZSocket", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "FR Configurator2", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "FX Configurator-EN", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "FX Configurator-EN-L", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "FX Configurator-FP", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "GT Designer3 Version1(GOT1000)", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "GT Designer3 Version1(GOT2000)", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "GT SoftGOT1000 Version3", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "GT SoftGOT2000 Version1", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "GX LogViewer", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "GX Works2", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "MELSOFT FieldDeviceConfigurator", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "MELSOFT iQ AppPortal", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "MELSOFT MaiLab", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "MELSOFT Navigator", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "MELSOFT Update Manager", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "MX Component", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "MX Sheet", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "PX Developer", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "RT ToolBox3", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "RT VisualBox", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "Data Transfer", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "Data Transfer Classic", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Incorrect Default Permissions vulnerability in Mitsubishi Electric Corporation multiple FA engineering software products allows a malicious local attacker to execute a malicious code, resulting in information disclosure, tampering with and deletion, or a denial-of-service (DoS) condition, if the product is installed in a folder other than the default installation folder."}], "value": "Incorrect Default Permissions vulnerability in Mitsubishi Electric Corporation multiple FA engineering software products allows a malicious local attacker to execute a malicious code, resulting in information disclosure, tampering with and deletion, or a denial-of-service (DoS) condition, if the product is installed in a folder other than the default installation folder."}], "impacts": [{"descriptions": [{"lang": "en", "value": "Malicious Code Execution"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-276", "description": "CWE-276 Incorrect Default Permissions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", "shortName": "Mitsubishi", "dateUpdated": "2024-07-04T09:16:28.950Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-010_en.pdf"}, {"tags": ["government-resource"], "url": "https://jvn.jp/vu/JVNVU96447193/index.html"}, {"tags": ["government-resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-03"}], "source": {"discovery": "UNKNOWN"}, "title": "Malicious Code Execution Vulnerability in FA Engineering Software Products", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:17:12.060Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-010_en.pdf"}, {"tags": ["government-resource", "x_transferred"], "url": "https://jvn.jp/vu/JVNVU96447193/index.html"}, {"tags": ["government-resource", "x_transferred"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-03"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mitsubishielectric:gx_works3:*:*:*:*:*:*:*:*", "matchCriteriaId": "F4AEDEEE-5070-41E2-B4DC-6DE8456BC028", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Default Permissions vulnerability in Mitsubishi Electric Corporation multiple FA engineering software products allows a malicious local attacker to execute a malicious code, resulting in information disclosure, tampering with and deletion, or a denial-of-service (DoS) condition, if the product is installed in a folder other than the default installation folder."}, {"lang": "es", "value": "Vulnerabilidad de Permisos Predeterminados Incorrectos debido a una soluci\u00f3n incompleta para abordar CVE-2020-14496 en los productos de software de ingenier\u00eda de Mitsubishi Electric Corporation FA permite que un atacante local malicioso ejecute un c\u00f3digo malicioso, lo que podr\u00eda resultar en la divulgaci\u00f3n, manipulaci\u00f3n y eliminaci\u00f3n de informaci\u00f3n, o una condici\u00f3n de denegaci\u00f3n fuera de servicio (DoS). Sin embargo, si la versi\u00f3n mitigada descrita en el aviso para CVE-2020-14496 se utiliza y se instala en la carpeta de instalaci\u00f3n predeterminada, esta vulnerabilidad no afecta a los productos."}], "id": "CVE-2023-4088", "lastModified": "2024-07-04T10:15:03.133", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 6.0, "source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "type": "Secondary"}]}, "published": "2023-09-20T03:15:13.687", "references": [{"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "url": "https://jvn.jp/vu/JVNVU96447193/index.html"}, {"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-03"}, {"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "tags": ["Vendor Advisory"], "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-010_en.pdf"}], "sourceIdentifier": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-276"}], "source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "type": "Secondary"}]}