diff --git a/2021/40xxx/CVE-2021-40422.json b/2021/40xxx/CVE-2021-40422.json index bf2706b6702..a0fe678fc16 100644 --- a/2021/40xxx/CVE-2021-40422.json +++ b/2021/40xxx/CVE-2021-40422.json @@ -4,9 +4,8 @@ "data_format": "MITRE", "CVE_data_meta": { "ID": "CVE-2021-40422", - "STATE": "PUBLIC", - "DATE_PUBLIC": "2022-02-28", - "ASSIGNER": "talos-cna@cisco.com" + "ASSIGNER": "talos-cna@cisco.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ @@ -16,35 +15,19 @@ } ] }, - "references": { - "reference_data": [ - { - "refsource": "MISC", - "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1431", - "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1431" - } - ] - }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", - "value": "CWE-798: Use of Hard-coded Credentials" + "value": "CWE-798: Use of Hard-coded Credentials", + "cweId": "CWE-798" } ] } ] }, - "impact": { - "cvss": { - "baseScore": 10.0, - "baseSeverity": null, - "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", - "version": "3.0" - } - }, "affects": { "vendor": { "vendor_data": [ @@ -57,8 +40,8 @@ "version": { "version_data": [ { - "version_value": "SG3-1010", - "version_affected": "=" + "version_affected": "=", + "version_value": "SG3-1010" } ] } @@ -68,5 +51,38 @@ } ] } + }, + "references": { + "reference_data": [ + { + "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1431", + "refsource": "MISC", + "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1431" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Discovered by Dave McDaniel of Cisco Talos." + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "CHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + "baseScore": 10, + "baseSeverity": "CRITICAL" + } + ] } } \ No newline at end of file diff --git a/2023/1xxx/CVE-2023-1748.json b/2023/1xxx/CVE-2023-1748.json index fe53728b0ff..c62f6eb39f0 100644 --- a/2023/1xxx/CVE-2023-1748.json +++ b/2023/1xxx/CVE-2023-1748.json @@ -1,17 +1,113 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-1748", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "ics-cert@hq.dhs.gov", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The listed versions of Nexx Smart Home devices use hard-coded credentials. An attacker with unauthenticated access to the Nexx Home mobile application or the affected firmware could view the credentials and access the MQ Telemetry Server (MQTT) server and the ability to remotely control garage doors or smart plugs for any customer." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-798 Use of Hard-coded Credentials" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Nexx", + "product": { + "product_data": [ + { + "product_name": "Smart Alarm NXAL-100", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "nxal100v-p1-9-1" + } + ] + } + }, + { + "product_name": "Smart Plug NXPG-100W", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "nxpg100cv4-0-0" + } + ] + } + }, + { + "product_name": "Garage Door Controller NXG-100B, NXG-200", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "nxg200v-p3-4-1" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-094-01", + "refsource": "MISC", + "name": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-094-01" + } + ] + }, + "generator": { + "engine": "VINCE 2.0.7", + "env": "prod", + "origin": "https://cveawg.mitre.org/api/cve/CVE-2023-1748" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "version": "3.1", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "CHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "availabilityImpact": "LOW", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", + "baseScore": 9.3, + "baseSeverity": "CRITICAL" } ] } diff --git a/2023/1xxx/CVE-2023-1749.json b/2023/1xxx/CVE-2023-1749.json index c73a7760495..7ee06e83153 100644 --- a/2023/1xxx/CVE-2023-1749.json +++ b/2023/1xxx/CVE-2023-1749.json @@ -1,17 +1,113 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-1749", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "ics-cert@hq.dhs.gov", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The listed versions of Nexx Smart Home devices lack proper access control when executing actions. An attacker with a valid NexxHome deviceId could send API requests that the affected devices would execute." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-639 Authorization Bypass Through User-Controlled Key" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Nexx", + "product": { + "product_data": [ + { + "product_name": "Smart Alarm NXAL-100", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "nxal100v-p1-9-1" + } + ] + } + }, + { + "product_name": "Smart Plug NXPG-100W", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "nxpg100cv4-0-0" + } + ] + } + }, + { + "product_name": "Garage Door Controller NXG-100B, NXG-200", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "nxg200v-p3-4-1" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-094-01", + "refsource": "MISC", + "name": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-094-01" + } + ] + }, + "generator": { + "engine": "VINCE 2.0.7", + "env": "prod", + "origin": "https://cveawg.mitre.org/api/cve/CVE-2023-1749" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "version": "3.1", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "availabilityImpact": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", + "baseScore": 6.5, + "baseSeverity": "MEDIUM" } ] } diff --git a/2023/1xxx/CVE-2023-1750.json b/2023/1xxx/CVE-2023-1750.json index c8c2b01b60e..a8fa1711dcf 100644 --- a/2023/1xxx/CVE-2023-1750.json +++ b/2023/1xxx/CVE-2023-1750.json @@ -1,17 +1,113 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-1750", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "ics-cert@hq.dhs.gov", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The listed versions of Nexx Smart Home devices lack proper access control when executing actions. An attacker with a valid NexxHome deviceId could retrieve device history, set device settings, and retrieve device information." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-639 Authorization Bypass Through User-Controlled Key" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Nexx", + "product": { + "product_data": [ + { + "product_name": "Smart Alarm NXAL-100", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "nxal100v-p1-9-1" + } + ] + } + }, + { + "product_name": "Smart Plug NXPG-100W", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "nxpg100cv4-0-0" + } + ] + } + }, + { + "product_name": "Garage Door Controller NXG-100B, NXG-200", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "nxg200v-p3-4-1" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-094-01", + "refsource": "MISC", + "name": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-094-01" + } + ] + }, + "generator": { + "engine": "VINCE 2.0.7", + "env": "prod", + "origin": "https://cveawg.mitre.org/api/cve/CVE-2023-1750" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "version": "3.1", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", + "baseScore": 7.1, + "baseSeverity": "HIGH" } ] } diff --git a/2023/1xxx/CVE-2023-1751.json b/2023/1xxx/CVE-2023-1751.json index af8129d7ba6..92cf4f8ad27 100644 --- a/2023/1xxx/CVE-2023-1751.json +++ b/2023/1xxx/CVE-2023-1751.json @@ -1,17 +1,113 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-1751", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "ics-cert@hq.dhs.gov", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The listed versions of Nexx Smart Home devices use a WebSocket server that does not validate if the bearer token in the Authorization header belongs to the device attempting to associate. This could allow any authorized user to receive alarm information and signals meant for other devices which leak a deviceId." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-20 Improper Input Validation" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Nexx", + "product": { + "product_data": [ + { + "product_name": "Smart Alarm NXAL-100", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "nxal100v-p1-9-1" + } + ] + } + }, + { + "product_name": "Smart Plug NXPG-100W", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "nxpg100cv4-0-0" + } + ] + } + }, + { + "product_name": "Garage Door Controller NXG-100B, NXG-200", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "nxg200v-p3-4-1" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-094-01", + "refsource": "MISC", + "name": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-094-01" + } + ] + }, + "generator": { + "engine": "VINCE 2.0.7", + "env": "prod", + "origin": "https://cveawg.mitre.org/api/cve/CVE-2023-1751" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "version": "3.1", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "availabilityImpact": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "baseScore": 7.5, + "baseSeverity": "HIGH" } ] } diff --git a/2023/1xxx/CVE-2023-1752.json b/2023/1xxx/CVE-2023-1752.json index 59a9da1ca69..07964e56f2f 100644 --- a/2023/1xxx/CVE-2023-1752.json +++ b/2023/1xxx/CVE-2023-1752.json @@ -1,17 +1,113 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2023-1752", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "ics-cert@hq.dhs.gov", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The listed versions of Nexx Smart Home devices could allow any user to register an already registered alarm or associated device with only the device\u2019s MAC address." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-287 Improper Authentication" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Nexx", + "product": { + "product_data": [ + { + "product_name": "Smart Alarm NXAL-100", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "nxal100v-p1-9-1" + } + ] + } + }, + { + "product_name": "Smart Plug NXPG-100W", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "nxpg100cv4-0-0" + } + ] + } + }, + { + "product_name": "Garage Door Controller NXG-100B, NXG-200", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "0", + "version_value": "nxg200v-p3-4-1" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-094-01", + "refsource": "MISC", + "name": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-094-01" + } + ] + }, + "generator": { + "engine": "VINCE 2.0.7", + "env": "prod", + "origin": "https://cveawg.mitre.org/api/cve/CVE-2023-1752" + }, + "source": { + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "version": "3.1", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "availabilityImpact": "HIGH", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", + "baseScore": 8.1, + "baseSeverity": "HIGH" } ] } diff --git a/2023/1xxx/CVE-2023-1838.json b/2023/1xxx/CVE-2023-1838.json new file mode 100644 index 00000000000..d6a19122c15 --- /dev/null +++ b/2023/1xxx/CVE-2023-1838.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2023-1838", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file