CVE-2023-4088

Incorrect Default Permissions vulnerability in Mitsubishi Electric Corporation multiple FA engineering software products allows a malicious local attacker to execute a malicious code, resulting in information disclosure, tampering with and deletion, or a denial-of-service (DoS) condition, if the product is installed in a folder other than the default installation folder.

CVSS v3 9.3 CRITICAL

9.3^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.5 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://jvn.jp/vu/JVNVU96447193/index.html
https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-03
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-010_en.pdf	Vendor Advisory
https://jvn.jp/vu/JVNVU96447193/index.html
https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-03
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-010_en.pdf	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mitsubishielectric:gx_works3:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:34

Type	Values Removed	Values Added
References	~~() https://jvn.jp/vu/JVNVU96447193/index.html -~~	() https://jvn.jp/vu/JVNVU96447193/index.html -
References	~~() https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-03 -~~	() https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-03 -
References	~~() https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-010_en.pdf - Vendor Advisory~~	() https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-010_en.pdf - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~7.8~~	v2 : unknown v3 : 9.3

04 Jul 2024, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-09-20 03:15

Updated : 2024-11-21 08:34

NVD link : CVE-2023-4088

Mitre link : CVE-2023-4088

CVE.ORG link : CVE-2023-4088

JSON object : View

Products Affected

mitsubishielectric

gx_works3

CWE

CWE-276

Incorrect Default Permissions

{"id": "CVE-2023-4088", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "LOCAL", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.5}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2023-09-20T03:15:13.687", "references": [{"url": "https://jvn.jp/vu/JVNVU96447193/index.html", "source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-03", "source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp"}, {"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-010_en.pdf", "tags": ["Vendor Advisory"], "source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp"}, {"url": "https://jvn.jp/vu/JVNVU96447193/index.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-03", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-010_en.pdf", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "description": [{"lang": "en", "value": "CWE-276"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-276"}]}], "descriptions": [{"lang": "en", "value": "Incorrect Default Permissions vulnerability in Mitsubishi Electric Corporation multiple FA engineering software products allows a malicious local attacker to execute a malicious code, resulting in information disclosure, tampering with and deletion, or a denial-of-service (DoS) condition, if the product is installed in a folder other than the default installation folder."}, {"lang": "es", "value": "Vulnerabilidad de Permisos Predeterminados Incorrectos debido a una soluci\u00f3n incompleta para abordar CVE-2020-14496 en los productos de software de ingenier\u00eda de Mitsubishi Electric Corporation FA permite que un atacante local malicioso ejecute un c\u00f3digo malicioso, lo que podr\u00eda resultar en la divulgaci\u00f3n, manipulaci\u00f3n y eliminaci\u00f3n de informaci\u00f3n, o una condici\u00f3n de denegaci\u00f3n fuera de servicio (DoS). Sin embargo, si la versi\u00f3n mitigada descrita en el aviso para CVE-2020-14496 se utiliza y se instala en la carpeta de instalaci\u00f3n predeterminada, esta vulnerabilidad no afecta a los productos."}], "lastModified": "2024-11-21T08:34:21.840", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mitsubishielectric:gx_works3:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F4AEDEEE-5070-41E2-B4DC-6DE8456BC028"}], "operator": "OR"}]}], "sourceIdentifier": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp"}