CVE-2023-31222

Deserialization of untrusted data in Microsoft Messaging Queuing Service in Medtronic's Paceart Optima versions 1.11 and earlier on Windows allows an unauthorized user to impact a healthcare delivery organization’s Paceart Optima system cardiac device causing data to be deleted, stolen, or modified, or the Paceart Optima system being used for further network penetration via network connectivity.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://global.medtronic.com/xg-en/product-security/security-bulletins/paceart-optima-system.html	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:medtronic:paceart_optima:*:*:*:*:*:windows:*:*

History

07 Jul 2023, 16:13

Type	Values Removed	Values Added
CPE		cpe:2.3:a:medtronic:paceart_optima::::::windows::*
References	~~(MISC) https://global.medtronic.com/xg-en/product-security/security-bulletins/paceart-optima-system.html -~~	(MISC) https://global.medtronic.com/xg-en/product-security/security-bulletins/paceart-optima-system.html - Mitigation, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
CWE		CWE-502

29 Jun 2023, 18:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-06-29 16:15

Updated : 2024-02-04 23:37

NVD link : CVE-2023-31222

Mitre link : CVE-2023-31222

CVE.ORG link : CVE-2023-31222

JSON object : View

Products Affected

medtronic

paceart_optima

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2023-31222", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security@medtronic.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2023-06-29T16:15:09.777", "references": [{"url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/paceart-optima-system.html", "tags": ["Mitigation", "Vendor Advisory"], "source": "security@medtronic.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-502"}]}, {"type": "Secondary", "source": "security@medtronic.com", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "Deserialization of untrusted data\u00a0in Microsoft Messaging Queuing Service in Medtronic's Paceart Optima versions 1.11 and earlier on Windows allows an unauthorized user to impact a\u00a0healthcare delivery organization\u2019s Paceart Optima system\u00a0cardiac device causing data to be deleted, stolen, or modified, or the Paceart Optima system being used for further network penetration\u00a0via network connectivity."}], "lastModified": "2023-07-07T16:13:00.783", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:medtronic:paceart_optima:*:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "A39B5C21-C4A0-4F23-93BF-A0E5AA01DA65", "versionEndExcluding": "1.12"}], "operator": "OR"}]}], "sourceIdentifier": "security@medtronic.com"}