admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-07-29 05:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

"-Synchronized-Data."

Browse Source
This commit is contained in:
CVE Team 2023-07-24 18:00:33 +00:00
parent b28447052d
commit 0efcf5ad9c
No known key found for this signature in database
GPG Key ID: E3252B3D49582C98
7 changed files with 472 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
2023/26xxx/CVE-2023-26077.json
View File

@ -1,17 +1,71 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-26077",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ID": "CVE-2023-26077",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Atera Agent through 1.8.3.6 on Windows Creates a Temporary File in a Directory with Insecure Permissions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"url": "https://github.com/mandiant/Vulnerability-Disclosures",
"refsource": "MISC",
"name": "https://github.com/mandiant/Vulnerability-Disclosures"
},
{
"url": "https://www.atera.com",
"refsource": "MISC",
"name": "https://www.atera.com"
},
{
"refsource": "MISC",
"name": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0008.md",
"url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0008.md"
}
]
}

18
2023/38xxx/CVE-2023-38709.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-38709",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

98
2023/3xxx/CVE-2023-3321.json
View File

@ -1,17 +1,107 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-3321",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "cybersecurity@ch.abb.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "\nA vulnerability exists by allowing low-privileged users to read and update the data in various directories used by the Zenon system. An attacker could exploit the vulnerability by using specially crafted\nprograms to exploit the vulnerabilities by allowing them to run on the zenon installed hosts.\nThis issue affects ABB Ability\u2122 zenon: from 11 build through 11 build 106404.\n\n"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-15: External Control of System or Configuration Setting",
"cweId": "CWE-15"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "ABB",
"product": {
"product_data": [
{
"product_name": "ABB Ability\u2122 zenon",
"version": {
"version_data": [
{
"version_affected": "<=",
"version_name": "11 build ",
"version_value": "11 build 106404"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001801&LanguageCode=en&DocumentPartId=&Action=Launch&_ga=2.194142766.2067879716.1690216773-1911411808.1686627590",
"refsource": "MISC",
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001801&LanguageCode=en&DocumentPartId=&Action=Launch&_ga=2.194142766.2067879716.1690216773-1911411808.1686627590"
}
]
},
"generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nABB recommends the following workarounds. Although these workarounds will not correct the underlying vulnerability, they block the known attack vectors.\n\u2022 For CVE-2023-3321, Recommended practices include that process control systems are physically protected,\nhave no direct connections to the Internet, and are separated from other networks by\nmeans of a firewall system that has a minimal number of ports exposed.&nbsp; Remove the default directory permissions for \u2018Everyone\u2019 on the service grid, ABB utilities, and zenon_Projects directories and provide access only to specific users that are\nexpected to access zenon.&nbsp; Install the IIoT services, which is, the Service grid component on a separate system.&nbsp; Secure the ZEE600 related executable files in \u2018C:\\ProgramData\\ABB\\ABBUtilities\u2019 directory by removing the group named \u201cEveryone\u201d.&nbsp; Ensure the group name \u201cEveryone\u201d should be removed from the following directory.\n\u2018C:\\ProgramData\\ABB\u2019.&nbsp; Secure zenon_Projects directory by managing the access permissions. The project directory should have access only for the user group (Excluding administrator) which has\nthe users to use zenon projects. Consider the following example:\n\nExample: A user group named \u2018zenonOwnersGroup\u2019 to be created and it is the only\ngroup that has write access to the zenon_ Projects directory. If the system has 2 users\nsuch as test1(Part of zenonOwnersGroup ) and test2 (not in zenonOwnersGroup ). The\nproject directory (C:\\Users\\Public\\Documents\\zenon_Projects) should have write access only for the zenonOwnersGroup and for no one else. Now, test1 should have write\naccess the zenon_Project directory and test2 should not.\n\n\n\n\n<br>"
}
],
"value": "\nABB recommends the following workarounds. Although these workarounds will not correct the underlying vulnerability, they block the known attack vectors.\n\u2022 For CVE-2023-3321, Recommended practices include that process control systems are physically protected,\nhave no direct connections to the Internet, and are separated from other networks by\nmeans of a firewall system that has a minimal number of ports exposed.\u00a0 Remove the default directory permissions for \u2018Everyone\u2019 on the service grid, ABB utilities, and zenon_Projects directories and provide access only to specific users that are\nexpected to access zenon.\u00a0 Install the IIoT services, which is, the Service grid component on a separate system.\u00a0 Secure the ZEE600 related executable files in \u2018C:\\ProgramData\\ABB\\ABBUtilities\u2019 directory by removing the group named \u201cEveryone\u201d.\u00a0 Ensure the group name \u201cEveryone\u201d should be removed from the following directory.\n\u2018C:\\ProgramData\\ABB\u2019.\u00a0 Secure zenon_Projects directory by managing the access permissions. The project directory should have access only for the user group (Excluding administrator) which has\nthe users to use zenon projects. Consider the following example:\n\nExample: A user group named \u2018zenonOwnersGroup\u2019 to be created and it is the only\ngroup that has write access to the zenon_ Projects directory. If the system has 2 users\nsuch as test1(Part of zenonOwnersGroup ) and test2 (not in zenonOwnersGroup ). The\nproject directory (C:\\Users\\Public\\Documents\\zenon_Projects) should have write access only for the zenonOwnersGroup and for no one else. Now, test1 should have write\naccess the zenon_Project directory and test2 should not.\n\n\n\n\n\n"
}
],
"credits": [
{
"lang": "en",
"value": "ABB thanks Noam Moshe of Claroty Research - Team82, for helping to identify the vulnerabilities and protecting our customers."
}
],
"impact": {
"cvss": [
{
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
]
}

98
2023/3xxx/CVE-2023-3322.json
View File

@ -1,17 +1,107 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-3322",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "cybersecurity@ch.abb.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "\nA vulnerability exists by allowing low-privileged users to read and update the data in various directories used by the Zenon system. An attacker could exploit the vulnerability by using specially crafted\nprograms to exploit the vulnerabilities by allowing them to run on the zenon installed hosts.\nThis issue affects ABB Ability\u2122 zenon: from 11 build through 11 build 106404.\n\n\n\n"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"cweId": "CWE-732"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "ABB",
"product": {
"product_data": [
{
"product_name": "ABB Ability\u2122 zenon",
"version": {
"version_data": [
{
"version_affected": "<=",
"version_name": "11 build ",
"version_value": "11 build 106404"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001801&LanguageCode=en&DocumentPartId=&Action=Launch&_ga=2.194142766.2067879716.1690216773-1911411808.1686627590",
"refsource": "MISC",
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001801&LanguageCode=en&DocumentPartId=&Action=Launch&_ga=2.194142766.2067879716.1690216773-1911411808.1686627590"
}
]
},
"generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\n\nABB recommends the following workarounds. Although these workarounds will not correct the underlying vulnerability, they block the known attack vectors.\n\u2022 For CVE-2023-3322, Recommended practices include that process control systems are physically protected,\nhave no direct connections to the Internet, and are separated from other networks by\nmeans of a firewall system that has a minimal number of ports exposed. Remove the default directory permissions for \u2018Everyone\u2019 on the service grid, ABB utilities, and zenon_Projects directories and provide access only to specific users that are\nexpected to access zenon. Install the IIoT services, which is, the Service grid component on a separate system. Secure the ZEE600 related executable files in \u2018C:\\ProgramData\\ABB\\ABBUtilities\u2019 directory by removing the group named \u201cEveryone\u201d. Ensure the group name \u201cEveryone\u201d should be removed from the following directory.\n\u2018C:\\ProgramData\\ABB\u2019. Secure zenon_Projects directory by managing the access permissions. The project directory should have access only for the user group (Excluding administrator) which has\nthe users to use zenon projects. Consider the following example:\n\nExample: A user group named \u2018zenonOwnersGroup\u2019 to be created and it is the only\ngroup that has write access to the zenon_ Projects directory. If the system has 2 users\nsuch as test1(Part of zenonOwnersGroup ) and test2 (not in zenonOwnersGroup ). The\nproject directory (C:\\Users\\Public\\Documents\\zenon_Projects) should have write access only for the zenonOwnersGroup and for no one else. Now, test1 should have write\naccess the zenon_Project directory and test2 should not.\n\n\n\n\n<br>\n\n<br>"
}
],
"value": "\n\n\nABB recommends the following workarounds. Although these workarounds will not correct the underlying vulnerability, they block the known attack vectors.\n\u2022 For CVE-2023-3322, Recommended practices include that process control systems are physically protected,\nhave no direct connections to the Internet, and are separated from other networks by\nmeans of a firewall system that has a minimal number of ports exposed. Remove the default directory permissions for \u2018Everyone\u2019 on the service grid, ABB utilities, and zenon_Projects directories and provide access only to specific users that are\nexpected to access zenon. Install the IIoT services, which is, the Service grid component on a separate system. Secure the ZEE600 related executable files in \u2018C:\\ProgramData\\ABB\\ABBUtilities\u2019 directory by removing the group named \u201cEveryone\u201d. Ensure the group name \u201cEveryone\u201d should be removed from the following directory.\n\u2018C:\\ProgramData\\ABB\u2019. Secure zenon_Projects directory by managing the access permissions. The project directory should have access only for the user group (Excluding administrator) which has\nthe users to use zenon projects. Consider the following example:\n\nExample: A user group named \u2018zenonOwnersGroup\u2019 to be created and it is the only\ngroup that has write access to the zenon_ Projects directory. If the system has 2 users\nsuch as test1(Part of zenonOwnersGroup ) and test2 (not in zenonOwnersGroup ). The\nproject directory (C:\\Users\\Public\\Documents\\zenon_Projects) should have write access only for the zenonOwnersGroup and for no one else. Now, test1 should have write\naccess the zenon_Project directory and test2 should not.\n\n\n\n\n\n\n\n\n"
}
],
"credits": [
{
"lang": "en",
"value": "ABB thanks Noam Moshe of Claroty Research - Team82, for helping to identify the vulnerabilities and protecting our customers."
}
],
"impact": {
"cvss": [
{
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
]
}

98
2023/3xxx/CVE-2023-3323.json
View File

@ -1,17 +1,107 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-3323",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "cybersecurity@ch.abb.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "\nA vulnerability exists by allowing low-privileged users to read and update the data in various directories used by the Zenon system. An attacker could exploit the vulnerability by using specially crafted\nprograms to exploit the vulnerabilities by allowing them to run on the zenon installed hosts.\nThis issue affects ABB Ability\u2122 zenon: from 11 build through 11 build 106404.\n\n\n\n"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-276 Incorrect Default Permissions",
"cweId": "CWE-276"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "ABB",
"product": {
"product_data": [
{
"product_name": "ABB Ability\u2122 zenon",
"version": {
"version_data": [
{
"version_affected": "<=",
"version_name": "11 build ",
"version_value": "11 build 106404"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001801&LanguageCode=en&DocumentPartId=&Action=Launch&_ga=2.194142766.2067879716.1690216773-1911411808.1686627590",
"refsource": "MISC",
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001801&LanguageCode=en&DocumentPartId=&Action=Launch&_ga=2.194142766.2067879716.1690216773-1911411808.1686627590"
}
]
},
"generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\n\nABB recommends the following workarounds. Although these workarounds will not correct the underlying vulnerability, they block the known attack vectors.\n\u2022 For CVE-2023-3323, Recommended practices include that process control systems are physically protected,\nhave no direct connections to the Internet, and are separated from other networks by\nmeans of a firewall system that has a minimal number of ports exposed. Remove the default directory permissions for \u2018Everyone\u2019 on the service grid, ABB utilities, and zenon_Projects directories and provide access only to specific users that are\nexpected to access zenon. Install the IIoT services, which is, the Service grid component on a separate system. Secure the ZEE600 related executable files in \u2018C:\\ProgramData\\ABB\\ABBUtilities\u2019 directory by removing the group named \u201cEveryone\u201d. Ensure the group name \u201cEveryone\u201d should be removed from the following directory.\n\u2018C:\\ProgramData\\ABB\u2019. Secure zenon_Projects directory by managing the access permissions. The project directory should have access only for the user group (Excluding administrator) which has\nthe users to use zenon projects. Consider the following example:\n\nExample: A user group named \u2018zenonOwnersGroup\u2019 to be created and it is the only\ngroup that has write access to the zenon_ Projects directory. If the system has 2 users\nsuch as test1(Part of zenonOwnersGroup ) and test2 (not in zenonOwnersGroup ). The\nproject directory (C:\\Users\\Public\\Documents\\zenon_Projects) should have write access only for the zenonOwnersGroup and for no one else. Now, test1 should have write\naccess the zenon_Project directory and test2 should not.\n\n\n\n\n<br>\n\n<br>"
}
],
"value": "\n\n\nABB recommends the following workarounds. Although these workarounds will not correct the underlying vulnerability, they block the known attack vectors.\n\u2022 For CVE-2023-3323, Recommended practices include that process control systems are physically protected,\nhave no direct connections to the Internet, and are separated from other networks by\nmeans of a firewall system that has a minimal number of ports exposed. Remove the default directory permissions for \u2018Everyone\u2019 on the service grid, ABB utilities, and zenon_Projects directories and provide access only to specific users that are\nexpected to access zenon. Install the IIoT services, which is, the Service grid component on a separate system. Secure the ZEE600 related executable files in \u2018C:\\ProgramData\\ABB\\ABBUtilities\u2019 directory by removing the group named \u201cEveryone\u201d. Ensure the group name \u201cEveryone\u201d should be removed from the following directory.\n\u2018C:\\ProgramData\\ABB\u2019. Secure zenon_Projects directory by managing the access permissions. The project directory should have access only for the user group (Excluding administrator) which has\nthe users to use zenon projects. Consider the following example:\n\nExample: A user group named \u2018zenonOwnersGroup\u2019 to be created and it is the only\ngroup that has write access to the zenon_ Projects directory. If the system has 2 users\nsuch as test1(Part of zenonOwnersGroup ) and test2 (not in zenonOwnersGroup ). The\nproject directory (C:\\Users\\Public\\Documents\\zenon_Projects) should have write access only for the zenonOwnersGroup and for no one else. Now, test1 should have write\naccess the zenon_Project directory and test2 should not.\n\n\n\n\n\n\n\n\n"
}
],
"credits": [
{
"lang": "en",
"value": "ABB thanks Noam Moshe of Claroty Research - Team82, for helping to identify the vulnerabilities and protecting our customers."
}
],
"impact": {
"cvss": [
{
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
}
]
}

98
2023/3xxx/CVE-2023-3324.json
View File

@ -1,17 +1,107 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-3324",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "cybersecurity@ch.abb.com",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "\nA vulnerability exists by allowing low-privileged users to read and update the data in various directories used by the Zenon system. An attacker could exploit the vulnerability by using specially crafted\nprograms to exploit the vulnerabilities by allowing them to run on the zenon installed hosts.\nThis issue affects ABB Ability\u2122 zenon: from 11 build through 11 build 106404.\n\n\n\n"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502 Deserialization of Untrusted Data",
"cweId": "CWE-502"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "ABB",
"product": {
"product_data": [
{
"product_name": "ABB Ability\u2122 zenon",
"version": {
"version_data": [
{
"version_affected": "<=",
"version_name": "11 build",
"version_value": "11 build 106404"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001801&LanguageCode=en&DocumentPartId=&Action=Launch&_ga=2.194142766.2067879716.1690216773-1911411808.1686627590",
"refsource": "MISC",
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001801&LanguageCode=en&DocumentPartId=&Action=Launch&_ga=2.194142766.2067879716.1690216773-1911411808.1686627590"
}
]
},
"generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nThe BinaryFormatter class used in implementation of zenon runtime is considered unsafe, as it allows users to create arbitrary classes not limited to the classes the developer intended to deserialize. By deserializing user-controlled content, it may be possible\nfor attackers may potentially load and run random code.&nbsp; The mitigation steps are as follows:\n\u25aa In the Engineering Studio application remove the .cdwpf files from the graphics\nfolder of each project that contains .cdwpf files created by the 3D Configurator\ntool.\n\u25aa On the system with the Engineering Studio, for each affected project, remove\nthe RT folder containing the Service Engine files\n\u25aa Compile new files in the Engineering Studio for each affected project\n\u25aa On the system with the Service Engine, remove the RT folder of each affected\nproject\n\u25aa Transport to or place onto the system with the Service Engine the newly created Service Engine files that no longer contain the .cdwpf files\n\u2022 Note: the vulnerability only exists if the 3D configurator tool is used to generate .cdwpf files\nthat are used in screens in projects for display of 3D models\n\n<br>"
}
],
"value": "\nThe BinaryFormatter class used in implementation of zenon runtime is considered unsafe, as it allows users to create arbitrary classes not limited to the classes the developer intended to deserialize. By deserializing user-controlled content, it may be possible\nfor attackers may potentially load and run random code.\u00a0 The mitigation steps are as follows:\n\u25aa In the Engineering Studio application remove the .cdwpf files from the graphics\nfolder of each project that contains .cdwpf files created by the 3D Configurator\ntool.\n\u25aa On the system with the Engineering Studio, for each affected project, remove\nthe RT folder containing the Service Engine files\n\u25aa Compile new files in the Engineering Studio for each affected project\n\u25aa On the system with the Service Engine, remove the RT folder of each affected\nproject\n\u25aa Transport to or place onto the system with the Service Engine the newly created Service Engine files that no longer contain the .cdwpf files\n\u2022 Note: the vulnerability only exists if the 3D configurator tool is used to generate .cdwpf files\nthat are used in screens in projects for display of 3D models\n\n\n"
}
],
"credits": [
{
"lang": "en",
"value": "ABB thanks Noam Moshe of Claroty Research - Team82, for helping to identify the vulnerabilities and protecting our customers."
}
],
"impact": {
"cvss": [
{
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:H",
"version": "3.1"
}
]
}

18
2023/3xxx/CVE-2023-3891.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2023-3891",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}