CVE-2023-5391 - OpenCVE

A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to execute arbitrary code on the targeted system by sending a specifically crafted packet to the application.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Schneider-electric	Ecostruxure Power Monitoring Expert Ecostruxure Power Operation With Advanced Reports Ecostruxure Power Scada Operation With Advanced Reports

Configuration 1 [-]

OR	cpe:2.3:a:schneider-electric:ecostruxure_power_monitoring_expert::::::::
	cpe:2.3:a:schneider-electric:ecostruxure_power_operation_with_advanced_reports::::::::
	cpe:2.3:a:schneider-electric:ecostruxure_power_scada_operation_with_advanced_reports::::::::

No data.

References

Link	Providers
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-283-02.pdf

History

No history.

MITRE

Status: PUBLISHED

Assigner: schneider

Published: 2023-10-04T18:13:00.746Z

Updated: 2024-08-02T07:59:44.528Z

Reserved: 2023-10-04T17:50:08.965Z

Link: CVE-2023-5391

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-10-04T19:15:10.777

Modified: 2024-02-01T00:49:46.897

Link: CVE-2023-5391

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-5391", "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "state": "PUBLISHED", "assignerShortName": "schneider", "dateReserved": "2023-10-04T17:50:08.965Z", "datePublished": "2023-10-04T18:13:00.746Z", "dateUpdated": "2024-08-02T07:59:44.528Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "EcoStruxure Power Monitoring Expert", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "All versions \u2013 prior to application of Hotfix-145271"}]}, {"defaultStatus": "unaffected", "product": "EcoStruxure Power Operation (EPO) with Advanced Reports", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "All versions \u2013 prior to application of Hotfix-145271"}]}, {"defaultStatus": "unaffected", "product": "EcoStruxure Power SCADA Operation with Advanced Reports", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "All versions \u2013 prior to application of Hotfix-145271"}]}], "datePublic": "2023-10-10T17:55:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n\n\nA CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to\nexecute arbitrary code on the targeted system by sending a specifically crafted packet to the\napplication.\n\n\n\n<br>"}], "value": "\n\n\nA CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to\nexecute arbitrary code on the targeted system by sending a specifically crafted packet to the\napplication.\n\n\n\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider", "dateUpdated": "2023-10-11T08:25:11.967Z"}, "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-283-02.pdf"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:59:44.528Z"}, "title": "CVE Program Container", "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-283-02.pdf", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_power_monitoring_expert:*:*:*:*:*:*:*:*", "matchCriteriaId": "B682ECD9-985F-4906-B936-DD388165063A", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_power_operation_with_advanced_reports:*:*:*:*:*:*:*:*", "matchCriteriaId": "8A9E16D1-278E-4E0B-A604-13096B7A9029", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_power_scada_operation_with_advanced_reports:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC4A71CF-78EA-43F9-B7BA-9ED3C7816173", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "\n\n\nA CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to\nexecute arbitrary code on the targeted system by sending a specifically crafted packet to the\napplication.\n\n\n\n\n"}, {"lang": "es", "value": "CWE-502: Existe una vulnerabilidad deserializaci\u00f3n de datos no confiables que podr\u00eda permitir a un atacante ejecutar c\u00f3digo arbitrario en el sistema objetivo enviando un paquete espec\u00edficamente manipulado a la aplicaci\u00f3n."}], "id": "CVE-2023-5391", "lastModified": "2024-02-01T00:49:46.897", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "cybersecurity@se.com", "type": "Secondary"}]}, "published": "2023-10-04T19:15:10.777", "references": [{"source": "cybersecurity@se.com", "tags": ["Vendor Advisory"], "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-283-02.pdf"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "cybersecurity@se.com", "type": "Primary"}]}