CVE-2023-4834 - Vulnerability Details - OpenCVE

In Red Lion Europe mbCONNECT24 and mymbCONNECT24 and Helmholz myREX24 and myREX24.virtual up to and including 2.14.2 an improperly implemented access validation allows an authenticated, low privileged attacker to gain read access to limited, non-critical device information in his account he should not have access to.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00105.

Key SSVC decision points have not yet been added.

Vendors	Products
Helmholz	Myrex24 Myrex24.virtual
Mbconnectline	Mbconnect24 Mymbconnect24

Configuration 1 [-]

cpe:2.3:a:helmholz:myrex24:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:helmholz:myrex24.virtual:*:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:a:mbconnectline:mbconnect24:*:*:*:*:*:*:*:*

Configuration 4 [-]

cpe:2.3:a:mbconnectline:mymbconnect24:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-54675	In Red Lion Europe mbCONNECT24 and mymbCONNECT24 and Helmholz myREX24 and myREX24.virtual up to and including 2.14.2 an improperly implemented access validation allows an authenticated, low privileged attacker to gain read access to limited, non-critical device information in his account he should not have access to.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://cert.vde.com/en/advisories/VDE-2023-041
https://cert.vde.com/en/advisories/VDE-2023-043

History

No history.

MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published: 2023-10-16T08:40:13.064Z

Updated: 2024-09-16T18:17:07.881Z

Reserved: 2023-09-08T07:54:38.764Z

Link: CVE-2023-4834

Vulnrichment

Updated: 2024-08-02T07:38:00.778Z

NVD

Status : Modified

Published: 2023-10-16T09:15:11.830

Modified: 2024-11-21T08:36:04.223

Link: CVE-2023-4834

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-4834", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "state": "PUBLISHED", "assignerShortName": "CERTVDE", "dateReserved": "2023-09-08T07:54:38.764Z", "datePublished": "2023-10-16T08:40:13.064Z", "dateUpdated": "2024-09-16T18:17:07.881Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "mbCONNECT24", "vendor": "Red Lion Europe", "versions": [{"lessThanOrEqual": "2.14.2", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "mymbCONNECT24", "vendor": "Red Lion Europe", "versions": [{"lessThanOrEqual": "2.14.2", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "myREX24", "vendor": "Helmholz", "versions": [{"lessThanOrEqual": "2.14.2", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "myREX24.virtual", "vendor": "Helmholz", "versions": [{"lessThanOrEqual": "2.14.2", "status": "affected", "version": "0", "versionType": "semver"}]}], "datePublic": "2023-10-16T08:40:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><div><div><div><p>In <span style=\"background-color: rgb(249, 250, 251);\">Red Lion Europe </span><span style=\"background-color: rgb(249, 250, 251);\">mbCONNECT24 and mymbCONNECT24 and Helmholz myREX24 and myREX24.virtual up to and including 2.14.2 an </span>improperly implemented access validation <span style=\"background-color: rgb(255, 255, 255);\">allows an authenticated, </span><span style=\"background-color: rgb(255, 255, 255);\">low privileged</span><span style=\"background-color: rgb(255, 255, 255);\"> attacker to gain read access to limited, non-critical device information in his account he should not have access to.</span>\n</p>\n\t\t\t\t\t</div>\n\t\t\t\t</div>\n\t\t\t</div>\n\t\t</div>\n\t\n"}], "value": "In Red Lion Europe\u00a0mbCONNECT24 and mymbCONNECT24 and Helmholz myREX24 and myREX24.virtual up to and including 2.14.2 an\u00a0improperly implemented access validation allows an authenticated, low privileged\u00a0attacker to gain read access to limited, non-critical device information in his account he should not have access to.\n\n\n\n\t\t\t\t\t\n\n\n\t\t\t\t\n\n\n\t\t\t\n\n\n\t\t\n\n\n\t\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2023-10-16T08:59:23.795Z"}, "references": [{"url": "https://cert.vde.com/en/advisories/VDE-2023-041"}, {"url": "https://cert.vde.com/en/advisories/VDE-2023-043"}], "source": {"defect": ["CERT@VDE#64587"], "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:38:00.778Z"}, "title": "CVE Program Container", "references": [{"url": "https://cert.vde.com/en/advisories/VDE-2023-041", "tags": ["x_transferred"]}, {"url": "https://cert.vde.com/en/advisories/VDE-2023-043", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-16T18:16:53.810599Z", "id": "CVE-2023-4834", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-16T18:17:07.881Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://cert.vde.com/en/advisories/VDE-2023-041", "tags": ["x_transferred"]}, {"url": "https://cert.vde.com/en/advisories/VDE-2023-043", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:38:00.778Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-4834", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-16T18:16:53.810599Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-16T18:17:00.850Z"}}], "cna": {"source": {"defect": ["CERT@VDE#64587"], "discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Red Lion Europe", "product": "mbCONNECT24", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.14.2"}], "defaultStatus": "unaffected"}, {"vendor": "Red Lion Europe", "product": "mymbCONNECT24", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.14.2"}], "defaultStatus": "unaffected"}, {"vendor": "Helmholz", "product": "myREX24", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.14.2"}], "defaultStatus": "unaffected"}, {"vendor": "Helmholz", "product": "myREX24.virtual", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.14.2"}], "defaultStatus": "unaffected"}], "datePublic": "2023-10-16T08:40:00.000Z", "references": [{"url": "https://cert.vde.com/en/advisories/VDE-2023-041"}, {"url": "https://cert.vde.com/en/advisories/VDE-2023-043"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "In Red Lion Europe\u00a0mbCONNECT24 and mymbCONNECT24 and Helmholz myREX24 and myREX24.virtual up to and including 2.14.2 an\u00a0improperly implemented access validation allows an authenticated, low privileged\u00a0attacker to gain read access to limited, non-critical device information in his account he should not have access to.\n\n\n\n\t\t\t\t\t\n\n\n\t\t\t\t\n\n\n\t\t\t\n\n\n\t\t\n\n\n\t\n", "supportingMedia": [{"type": "text/html", "value": "<div><div><div><div><p>In <span style=\"background-color: rgb(249, 250, 251);\">Red Lion Europe </span><span style=\"background-color: rgb(249, 250, 251);\">mbCONNECT24 and mymbCONNECT24 and Helmholz myREX24 and myREX24.virtual up to and including 2.14.2 an </span>improperly implemented access validation <span style=\"background-color: rgb(255, 255, 255);\">allows an authenticated, </span><span style=\"background-color: rgb(255, 255, 255);\">low privileged</span><span style=\"background-color: rgb(255, 255, 255);\"> attacker to gain read access to limited, non-critical device information in his account he should not have access to.</span>\n</p>\n\t\t\t\t\t</div>\n\t\t\t\t</div>\n\t\t\t</div>\n\t\t</div>\n\t\n", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2023-10-16T08:59:23.795Z"}}}, "cveMetadata": {"cveId": "CVE-2023-4834", "state": "PUBLISHED", "dateUpdated": "2024-09-16T18:17:07.881Z", "dateReserved": "2023-09-08T07:54:38.764Z", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "datePublished": "2023-10-16T08:40:13.064Z", "assignerShortName": "CERTVDE"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:helmholz:myrex24:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B75F1E4-3DFA-4163-A9C7-8CF5C9A78562", "versionEndIncluding": "2.14.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:helmholz:myrex24.virtual:*:*:*:*:*:*:*:*", "matchCriteriaId": "885E9E11-89FE-468F-8160-EC3B21E6CA77", "versionEndIncluding": "2.14.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mbconnectline:mbconnect24:*:*:*:*:*:*:*:*", "matchCriteriaId": "2029F9FB-397A-490D-A86F-B2B39C516A79", "versionEndIncluding": "2.14.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mbconnectline:mymbconnect24:*:*:*:*:*:*:*:*", "matchCriteriaId": "0F77AC2B-5B57-4CFF-A4F1-AA8E6B1B8C3B", "versionEndIncluding": "2.14.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Red Lion Europe\u00a0mbCONNECT24 and mymbCONNECT24 and Helmholz myREX24 and myREX24.virtual up to and including 2.14.2 an\u00a0improperly implemented access validation allows an authenticated, low privileged\u00a0attacker to gain read access to limited, non-critical device information in his account he should not have access to.\n\n\n\n\t\t\t\t\t\n\n\n\t\t\t\t\n\n\n\t\t\t\n\n\n\t\t\n\n\n\t\n"}, {"lang": "es", "value": "En Red Lion Europe mbCONNECT24 y mymbCONNECT24 y Helmholz myREX24 y myREX24.virtual hasta la versi\u00f3n 2.14.2 incluida, una validaci\u00f3n de acceso implementada incorrectamente permite a un atacante autenticado y con pocos privilegios obtener acceso de lectura a informaci\u00f3n limitada y no cr\u00edtica del dispositivo a la que no deber\u00eda tener acceso en su cuenta."}], "id": "CVE-2023-4834", "lastModified": "2024-11-21T08:36:04.223", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "info@cert.vde.com", "type": "Secondary"}]}, "published": "2023-10-16T09:15:11.830", "references": [{"source": "info@cert.vde.com", "tags": ["Third Party Advisory"], "url": "https://cert.vde.com/en/advisories/VDE-2023-041"}, {"source": "info@cert.vde.com", "tags": ["Third Party Advisory"], "url": "https://cert.vde.com/en/advisories/VDE-2023-043"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://cert.vde.com/en/advisories/VDE-2023-041"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://cert.vde.com/en/advisories/VDE-2023-043"}], "sourceIdentifier": "info@cert.vde.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "info@cert.vde.com", "type": "Secondary"}]}