CVE-2023-4816

A vulnerability exists in the Equipment Tag Out authentication, when configured with Single Sign-On (SSO) with password validation in T214. This vulnerability can be exploited by an authenticated user per-forming an Equipment Tag Out holder action (Accept, Release, and Clear) for another user and entering an arbitrary password in the holder action confirmation dialog box. Despite entering an arbitrary password in the confirmation box, the system will execute the selected holder action.

CVSS v3 6.9 MEDIUM

6.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.7 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://images.go.hitachienergy.com/Web/ABBEnterpriseSoftware/%7B70b3d323-4866-42e1-8a75-58996729c1d4%7D_8DBD000172-VU-2023-23_Asset_Suite_Tagout_vulnerability_Rev1.pdf	Vendor Advisory
https://images.go.hitachienergy.com/Web/ABBEnterpriseSoftware/%7B70b3d323-4866-42e1-8a75-58996729c1d4%7D_8DBD000172-VU-2023-23_Asset_Suite_Tagout_vulnerability_Rev1.pdf	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:hitachienergy:asset_suite::::::::
	cpe:2.3:a:hitachienergy:asset_suite:9.6.4:::::::*

History

21 Nov 2024, 08:36

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-09-11 08:15

Updated : 2024-11-21 08:36

NVD link : CVE-2023-4816

Mitre link : CVE-2023-4816

CVE.ORG link : CVE-2023-4816

JSON object : View

Products Affected

hitachienergy

asset_suite

CWE

CWE-287

Improper Authentication

{"id": "CVE-2023-4816", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cybersecurity@hitachienergy.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 4.7, "exploitabilityScore": 1.7}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2023-09-11T08:15:07.917", "references": [{"url": "https://images.go.hitachienergy.com/Web/ABBEnterpriseSoftware/%7B70b3d323-4866-42e1-8a75-58996729c1d4%7D_8DBD000172-VU-2023-23_Asset_Suite_Tagout_vulnerability_Rev1.pdf", "tags": ["Vendor Advisory"], "source": "cybersecurity@hitachienergy.com"}, {"url": "https://images.go.hitachienergy.com/Web/ABBEnterpriseSoftware/%7B70b3d323-4866-42e1-8a75-58996729c1d4%7D_8DBD000172-VU-2023-23_Asset_Suite_Tagout_vulnerability_Rev1.pdf", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cybersecurity@hitachienergy.com", "description": [{"lang": "en", "value": "CWE-287"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability exists in the Equipment Tag Out authentication, when configured with Single Sign-On (SSO) with password validation in T214. This vulnerability can be exploited by an authenticated user per-forming an Equipment Tag Out holder action (Accept, Release, and Clear) for another user and entering an arbitrary password in the holder action confirmation dialog box. Despite entering an arbitrary password in the confirmation box, the system will execute the selected holder action."}, {"lang": "es", "value": "Existe una vulnerabilidad en la autenticaci\u00f3n de Etiquetado de Equipos, cuando se configura con Inicio de Sesi\u00f3n \u00danico con validaci\u00f3n de contrase\u00f1a en T214. Esta vulnerabilidad puede ser explotada por un usuario autenticado que realiza una acci\u00f3n de titular de Etiquetado de Equipo (Aceptar, Liberar y Borrar) para otro usuario e ingresa una contrase\u00f1a arbitraria en el cuadro de di\u00e1logo de confirmaci\u00f3n de la acci\u00f3n del titular. A pesar de ingresar una contrase\u00f1a arbitraria en el cuadro de confirmaci\u00f3n, el sistema ejecutar\u00e1 la acci\u00f3n del titular seleccionado."}], "lastModified": "2024-11-21T08:36:01.933", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hitachienergy:asset_suite:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FAC84DA0-C8A5-433E-A812-7E182295CD06", "versionEndIncluding": "9.6.3.11.1"}, {"criteria": "cpe:2.3:a:hitachienergy:asset_suite:9.6.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6D04B485-9331-43B1-A8D9-4C245E20738A"}], "operator": "OR"}]}], "sourceIdentifier": "cybersecurity@hitachienergy.com"}