CVE-2023-29446

An improper input validation vulnerability has been discovered that could allow an adversary to inject a UNC path via a malicious project file. This allows an adversary to capture NLTMv2 hashes and potentially crack them offline.
Configurations

Configuration 1 (hide)

cpe:2.3:a:ptc:kepware_kepserverex:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:ptc:thingworx_kepware_server:*:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:ptc:thingworx_industrial_connectivity:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:57

Type Values Removed Values Added
References () https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-03 - Third Party Advisory, US Government Resource () https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-03 - Third Party Advisory, US Government Resource
References () https://www.dragos.com/advisory/ptcs-kepserverex-vulnerabilities/ - Third Party Advisory () https://www.dragos.com/advisory/ptcs-kepserverex-vulnerabilities/ - Third Party Advisory
References () https://www.ptc.com/en/support/article/cs399528 - Vendor Advisory () https://www.ptc.com/en/support/article/cs399528 - Vendor Advisory

08 Oct 2024, 16:15

Type Values Removed Values Added
Summary (en) An improper input validation vulnerability has been discovered that could allow an adversary to inject a UNC path via a malicious project file. This allows an adversary to capture NLTMv2 hashes and potentially crack them offline.  (en) An improper input validation vulnerability has been discovered that could allow an adversary to inject a UNC path via a malicious project file. This allows an adversary to capture NLTMv2 hashes and potentially crack them offline.
CWE CWE-40

19 Jan 2024, 19:50

Type Values Removed Values Added
New CVE

Information

Published : 2024-01-10 21:15

Updated : 2024-11-21 07:57


NVD link : CVE-2023-29446

Mitre link : CVE-2023-29446

CVE.ORG link : CVE-2023-29446


JSON object : View

Products Affected

ptc

  • thingworx_kepware_server
  • thingworx_industrial_connectivity
  • kepware_kepserverex
CWE
CWE-40

Path Traversal: '\\UNC\share\name\' (Windows UNC Share)

CWE-20

Improper Input Validation