CVE-2023-25931

Medtronic identified that the Pelvic Health clinician apps, which are installed on the Smart Programmer mobile device, have a password vulnerability that requires a security update to fix. Not updating could potentially result in unauthorized control of the clinician therapy application, which has greater control over therapy parameters than the patient app. Changes still cannot be made outside of the established therapy parameters of the programmer. For unauthorized access to occur, an individual would need physical access to the Smart Programmer.

CVSS v3 6.8 MEDIUM

6.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.9 / Impact : 5.9

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://global.medtronic.com/xg-en/product-security/security-bulletins/pelvic-health-interstim-micro.html	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:medtronic:interstim_x_clinician:a51300:::::::*
	cpe:2.3:a:medtronic:micro_clinician:a51200:::::::*

History

09 Mar 2023, 00:53

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.8
CWE		CWE-287
References	~~(MISC) https://global.medtronic.com/xg-en/product-security/security-bulletins/pelvic-health-interstim-micro.html -~~	(MISC) https://global.medtronic.com/xg-en/product-security/security-bulletins/pelvic-health-interstim-micro.html - Vendor Advisory
CPE		cpe:2.3:a:medtronic:interstim_x_clinician:a51300:::::::* cpe:2.3:a:medtronic:micro_clinician:a51200:::::::*

01 Mar 2023, 20:34

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-03-01 19:15

Updated : 2024-02-04 23:14

NVD link : CVE-2023-25931

Mitre link : CVE-2023-25931

CVE.ORG link : CVE-2023-25931

JSON object : View

Products Affected

medtronic

interstim_x_clinician
micro_clinician

CWE

CWE-287

Improper Authentication

CWE-620

Unverified Password Change

{"id": "CVE-2023-25931", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.9}, {"type": "Secondary", "source": "security@medtronic.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 5.5, "exploitabilityScore": 0.9}]}, "published": "2023-03-01T19:15:26.047", "references": [{"url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/pelvic-health-interstim-micro.html", "tags": ["Vendor Advisory"], "source": "security@medtronic.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-287"}]}, {"type": "Secondary", "source": "security@medtronic.com", "description": [{"lang": "en", "value": "CWE-620"}]}], "descriptions": [{"lang": "en", "value": "Medtronic identified that the Pelvic Health clinician apps, which are installed on the Smart Programmer mobile device, have a password vulnerability that requires a security update to fix. Not updating could potentially result in unauthorized control of the clinician therapy application, which has greater control over therapy parameters than the patient app. Changes still cannot be made outside of the established therapy parameters of the programmer. For unauthorized access to occur, an individual would need physical access to the Smart Programmer. \n\n"}], "lastModified": "2023-11-07T04:09:15.113", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:medtronic:interstim_x_clinician:a51300:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "81EEC6A7-21C5-46B5-83BD-C3BF94A6D41B"}, {"criteria": "cpe:2.3:a:medtronic:micro_clinician:a51200:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8BDDEB06-CB9C-4CD4-B0E1-59B870AAC7C1"}], "operator": "OR"}]}], "sourceIdentifier": "security@medtronic.com"}