Search criteria
22 vulnerabilities
CVE-2024-10476 (GCVE-0-2024-10476)
Vulnerability from cvelistv5 – Published: 2024-12-17 15:16 – Updated: 2024-12-17 15:35
VLAI?
Summary
Default credentials are used in the above listed BD Diagnostic Solutions products. If exploited, threat actors may be able to access, modify or delete data, including sensitive information such as protected health information (PHI) and personally identifiable information (PII). Exploitation of this vulnerability may allow an attacker to shut down or otherwise impact the availability of the system. Note: BD Synapsys™ Informatics
Solution is only in scope of
this vulnerability when
installed on a NUC server. BD Synapsys™
Informatics Solution installed
on a customer-provided virtual machine or on the BD Kiestra™ SCU hardware is
not in scope.
Severity ?
CWE
- CWE-1392 - USE OF DEFAULT CREDENTIALS
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Becton Dickinson & Co | BD BACTEC™ Blood Culture System |
Affected:
0 , ≤ 7.20
(custom)
|
|||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10476",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-17T15:35:29.382383Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-17T15:35:43.490Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "BD BACTEC\u2122 Blood Culture System",
"vendor": "Becton Dickinson \u0026 Co",
"versions": [
{
"lessThanOrEqual": "7.20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "BD COR\u2122 System",
"vendor": "Becton Dickinson \u0026 Co",
"versions": [
{
"lessThanOrEqual": "8.90",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "BD EpiCenter\u2122 Microbiology Data Management System",
"vendor": "Becton Dickinson \u0026 Co",
"versions": [
{
"lessThanOrEqual": "7.45",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "BD MAX\u2122 System",
"vendor": "Becton Dickinson \u0026 Co",
"versions": [
{
"lessThanOrEqual": "6.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "BD Phoenix\u2122 M50 Automated Microbiology System",
"vendor": "Becton Dickinson \u0026 Co",
"versions": [
{
"lessThanOrEqual": "2.70",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "BD Synapsys\u2122 Informatics Solution",
"vendor": "Becton Dickinson \u0026 Co",
"versions": [
{
"lessThanOrEqual": "6.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDefault credentials are used in the above listed BD Diagnostic Solutions products. If exploited, threat actors may be able to access, modify or delete data, including sensitive information such as protected health information (PHI) and personally identifiable information (PII). Exploitation of this vulnerability may allow an attacker to shut down or otherwise impact the availability of the system. Note: BD Synapsys\u2122 Informatics\nSolution is only in scope of\nthis vulnerability when\ninstalled on a NUC server. BD Synapsys\u2122\nInformatics Solution installed\non a customer-provided virtual machine or on the BD Kiestra\u2122 SCU hardware is\nnot in scope.\n\n\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "Default credentials are used in the above listed BD Diagnostic Solutions products. If exploited, threat actors may be able to access, modify or delete data, including sensitive information such as protected health information (PHI) and personally identifiable information (PII). Exploitation of this vulnerability may allow an attacker to shut down or otherwise impact the availability of the system. Note: BD Synapsys\u2122 Informatics\nSolution is only in scope of\nthis vulnerability when\ninstalled on a NUC server. BD Synapsys\u2122\nInformatics Solution installed\non a customer-provided virtual machine or on the BD Kiestra\u2122 SCU hardware is\nnot in scope."
}
],
"impacts": [
{
"capecId": "CAPEC-70",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-70 Try Common or Default Usernames and Passwords"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1392",
"description": "CWE-1392 USE OF DEFAULT CREDENTIALS",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-17T15:16:44.982Z",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-cybersecurity-vulnerability-bulletin-diagnostic-solutions-products"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2024-10476",
"datePublished": "2024-12-17T15:16:44.982Z",
"dateReserved": "2024-10-28T18:44:14.990Z",
"dateUpdated": "2024-12-17T15:35:43.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29066 (GCVE-0-2023-29066)
Vulnerability from cvelistv5 – Published: 2023-11-28 20:36 – Updated: 2024-08-02 14:00
VLAI?
Summary
The FACSChorus software does not properly assign data access privileges for operating system user accounts. A non-administrative OS account can modify information stored in the local application data folders.
Severity ?
CWE
- CWE-266 - Incorrect Privilege Assignment
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Becton, Dickinson and Company (BD) | FACSChorus |
Affected:
5.0 , ≤ 5.1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:15.314Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-facschorus-software"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"64 bit"
],
"product": "FACSChorus",
"vendor": "Becton, Dickinson and Company (BD)",
"versions": [
{
"lessThanOrEqual": "5.1",
"status": "affected",
"version": "5.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-11-28T14:24:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The FACSChorus software does not properly assign data access privileges for operating system user accounts. A non-administrative OS account can modify information stored in the local application data folders."
}
],
"value": "The FACSChorus software does not properly assign data access privileges for operating system user accounts. A non-administrative OS account can modify information stored in the local application data folders."
}
],
"impacts": [
{
"capecId": "CAPEC-639",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-639 Probe System Files"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "LOW",
"baseScore": 3.2,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266 Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-28T20:36:13.494Z",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-facschorus-software"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Incorrect User Management",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\n\nVulnerabilities associated with the BD FACSChorus software and workstations will be addressed in an upcoming release. This bulletin will be updated when more information is available. Please check periodically for updates. Additionally, BD recommends the following mitigations and compensating controls to reduce risk associated with these vulnerabilities. The following recommendations apply to all vulnerabilities listed in this bulletin:\u003cbr\u003e\u003cul\u003e\u003cli\u003eEnsure physical access controls are in place and only authorized end-users have access to the BD FACSChorus Software and respective workstation.\u003c/li\u003e\u003cli\u003eIf the BD FACSChorus workstation is connected to the local network, ensure industry standard network security policies and procedures are followed.\u003c/li\u003e\u003cli\u003eAdministrative access to the FACSChorus software and workstation should be strictly controlled by the customer in collaboration with their local IT security policy.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "\n\n\nVulnerabilities associated with the BD FACSChorus software and workstations will be addressed in an upcoming release. This bulletin will be updated when more information is available. Please check periodically for updates. Additionally, BD recommends the following mitigations and compensating controls to reduce risk associated with these vulnerabilities. The following recommendations apply to all vulnerabilities listed in this bulletin:\n * Ensure physical access controls are in place and only authorized end-users have access to the BD FACSChorus Software and respective workstation.\n * If the BD FACSChorus workstation is connected to the local network, ensure industry standard network security policies and procedures are followed.\n * Administrative access to the FACSChorus software and workstation should be strictly controlled by the customer in collaboration with their local IT security policy.\n\n\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2023-29066",
"datePublished": "2023-11-28T20:36:13.494Z",
"dateReserved": "2023-03-30T21:10:17.527Z",
"dateUpdated": "2024-08-02T14:00:15.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29065 (GCVE-0-2023-29065)
Vulnerability from cvelistv5 – Published: 2023-11-28 20:35 – Updated: 2024-12-02 19:28
VLAI?
Summary
The FACSChorus software database can be accessed directly with the privileges of the currently logged-in user. A threat actor with physical access could potentially gain credentials, which could be used to alter or destroy data stored in the database.
Severity ?
4.1 (Medium)
CWE
- CWE-277 - Insecure Inherited Permissions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Becton, Dickinson and Company (BD) | FACSChorus |
Affected:
5.0 , ≤ 5.1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:14.915Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-facschorus-software"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29065",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2023-12-09T05:05:46.444290Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-02T19:28:37.461Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"64 bit"
],
"product": "FACSChorus",
"vendor": "Becton, Dickinson and Company (BD)",
"versions": [
{
"lessThanOrEqual": "5.1",
"status": "affected",
"version": "5.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-11-28T14:24:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The FACSChorus software database can be accessed directly with the privileges of the currently logged-in user. A threat actor with physical access could potentially gain credentials, which could be used to alter or destroy data stored in the database."
}
],
"value": "The FACSChorus software database can be accessed directly with the privileges of the currently logged-in user. A threat actor with physical access could potentially gain credentials, which could be used to alter or destroy data stored in the database."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "LOW",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-277",
"description": "CWE-277 Insecure Inherited Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-28T20:35:59.061Z",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-facschorus-software"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Overly Permissive Access Policy",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\n\nVulnerabilities associated with the BD FACSChorus software and workstations will be addressed in an upcoming release. This bulletin will be updated when more information is available. Please check periodically for updates. Additionally, BD recommends the following mitigations and compensating controls to reduce risk associated with these vulnerabilities. The following recommendations apply to all vulnerabilities listed in this bulletin:\u003cbr\u003e\u003cul\u003e\u003cli\u003eEnsure physical access controls are in place and only authorized end-users have access to the BD FACSChorus Software and respective workstation.\u003c/li\u003e\u003cli\u003eIf the BD FACSChorus workstation is connected to the local network, ensure industry standard network security policies and procedures are followed.\u003c/li\u003e\u003cli\u003eAdministrative access to the FACSChorus software and workstation should be strictly controlled by the customer in collaboration with their local IT security policy.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "\n\n\nVulnerabilities associated with the BD FACSChorus software and workstations will be addressed in an upcoming release. This bulletin will be updated when more information is available. Please check periodically for updates. Additionally, BD recommends the following mitigations and compensating controls to reduce risk associated with these vulnerabilities. The following recommendations apply to all vulnerabilities listed in this bulletin:\n * Ensure physical access controls are in place and only authorized end-users have access to the BD FACSChorus Software and respective workstation.\n * If the BD FACSChorus workstation is connected to the local network, ensure industry standard network security policies and procedures are followed.\n * Administrative access to the FACSChorus software and workstation should be strictly controlled by the customer in collaboration with their local IT security policy.\n\n\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2023-29065",
"datePublished": "2023-11-28T20:35:59.061Z",
"dateReserved": "2023-03-30T21:10:17.527Z",
"dateUpdated": "2024-12-02T19:28:37.461Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29064 (GCVE-0-2023-29064)
Vulnerability from cvelistv5 – Published: 2023-11-28 20:35 – Updated: 2024-10-11 17:57
VLAI?
Summary
The FACSChorus software contains sensitive information stored in plaintext. A threat actor could gain hardcoded secrets used by the application, which include tokens and passwords for administrative accounts.
Severity ?
4.1 (Medium)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Becton, Dickinson and Company (BD) | FACSChorus |
Affected:
5.0 , ≤ 5.1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:15.704Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-facschorus-software"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29064",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-11T17:51:34.260250Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T17:57:54.519Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"64 bit"
],
"product": "FACSChorus",
"vendor": "Becton, Dickinson and Company (BD)",
"versions": [
{
"lessThanOrEqual": "5.1",
"status": "affected",
"version": "5.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-11-28T14:24:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The FACSChorus software contains sensitive information stored in plaintext. A threat actor could gain hardcoded secrets used by the application, which include tokens and passwords for administrative accounts."
}
],
"value": "The FACSChorus software contains sensitive information stored in plaintext. A threat actor could gain hardcoded secrets used by the application, which include tokens and passwords for administrative accounts."
}
],
"impacts": [
{
"capecId": "CAPEC-191",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-191 Read Sensitive Strings Within an Executable"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "LOW",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-28T20:35:30.214Z",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-facschorus-software"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Hardcoded Secrets",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\n\nVulnerabilities associated with the BD FACSChorus software and workstations will be addressed in an upcoming release. This bulletin will be updated when more information is available. Please check periodically for updates. Additionally, BD recommends the following mitigations and compensating controls to reduce risk associated with these vulnerabilities. The following recommendations apply to all vulnerabilities listed in this bulletin:\u003cbr\u003e\u003cul\u003e\u003cli\u003eEnsure physical access controls are in place and only authorized end-users have access to the BD FACSChorus Software and respective workstation.\u003c/li\u003e\u003cli\u003eIf the BD FACSChorus workstation is connected to the local network, ensure industry standard network security policies and procedures are followed.\u003c/li\u003e\u003cli\u003eAdministrative access to the FACSChorus software and workstation should be strictly controlled by the customer in collaboration with their local IT security policy.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "\n\n\nVulnerabilities associated with the BD FACSChorus software and workstations will be addressed in an upcoming release. This bulletin will be updated when more information is available. Please check periodically for updates. Additionally, BD recommends the following mitigations and compensating controls to reduce risk associated with these vulnerabilities. The following recommendations apply to all vulnerabilities listed in this bulletin:\n * Ensure physical access controls are in place and only authorized end-users have access to the BD FACSChorus Software and respective workstation.\n * If the BD FACSChorus workstation is connected to the local network, ensure industry standard network security policies and procedures are followed.\n * Administrative access to the FACSChorus software and workstation should be strictly controlled by the customer in collaboration with their local IT security policy.\n\n\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2023-29064",
"datePublished": "2023-11-28T20:35:30.214Z",
"dateReserved": "2023-03-30T21:10:17.526Z",
"dateUpdated": "2024-10-11T17:57:54.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29063 (GCVE-0-2023-29063)
Vulnerability from cvelistv5 – Published: 2023-11-28 20:34 – Updated: 2024-08-02 14:00
VLAI?
Summary
The FACSChorus workstation does not prevent physical access to its PCI express (PCIe) slots, which could allow a threat actor to insert a PCI card designed for memory capture. A threat actor can then isolate sensitive information such as a BitLocker encryption key from a dump of the workstation RAM during startup.
Severity ?
CWE
- CWE-1299 - Missing Protection Mechanism for Alternate Hardware Interface
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Becton, Dickinson and Company (BD) | FACSChorus |
Affected:
5.0 , ≤ 5.1
(custom)
Affected: 3.0 , ≤ 3.1 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:14.934Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-facschorus-software"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"64 bit"
],
"product": "FACSChorus",
"vendor": "Becton, Dickinson and Company (BD)",
"versions": [
{
"lessThanOrEqual": "5.1",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.1",
"status": "affected",
"version": "3.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-11-28T14:24:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The FACSChorus workstation does not prevent physical access to its PCI express (PCIe) slots, which could allow a threat actor to insert a PCI card designed for memory capture. A threat actor can then isolate sensitive information such as a BitLocker encryption key from a dump of the workstation RAM during startup."
}
],
"value": "The FACSChorus workstation does not prevent physical access to its PCI express (PCIe) slots, which could allow a threat actor to insert a PCI card designed for memory capture. A threat actor can then isolate sensitive information such as a BitLocker encryption key from a dump of the workstation RAM during startup."
}
],
"impacts": [
{
"capecId": "CAPEC-121",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-121 Exploit Non-Production Interfaces"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1299",
"description": "CWE-1299 Missing Protection Mechanism for Alternate Hardware Interface",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-28T20:34:59.290Z",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-facschorus-software"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Lack of DMA Access Protections",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\n\nVulnerabilities associated with the BD FACSChorus software and workstations will be addressed in an upcoming release. This bulletin will be updated when more information is available. Please check periodically for updates. Additionally, BD recommends the following mitigations and compensating controls to reduce risk associated with these vulnerabilities. The following recommendations apply to all vulnerabilities listed in this bulletin:\u003cbr\u003e\u003cul\u003e\u003cli\u003eEnsure physical access controls are in place and only authorized end-users have access to the BD FACSChorus Software and respective workstation.\u003c/li\u003e\u003cli\u003eIf the BD FACSChorus workstation is connected to the local network, ensure industry standard network security policies and procedures are followed.\u003c/li\u003e\u003cli\u003eAdministrative access to the FACSChorus software and workstation should be strictly controlled by the customer in collaboration with their local IT security policy.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "\n\n\nVulnerabilities associated with the BD FACSChorus software and workstations will be addressed in an upcoming release. This bulletin will be updated when more information is available. Please check periodically for updates. Additionally, BD recommends the following mitigations and compensating controls to reduce risk associated with these vulnerabilities. The following recommendations apply to all vulnerabilities listed in this bulletin:\n * Ensure physical access controls are in place and only authorized end-users have access to the BD FACSChorus Software and respective workstation.\n * If the BD FACSChorus workstation is connected to the local network, ensure industry standard network security policies and procedures are followed.\n * Administrative access to the FACSChorus software and workstation should be strictly controlled by the customer in collaboration with their local IT security policy.\n\n\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2023-29063",
"datePublished": "2023-11-28T20:34:59.290Z",
"dateReserved": "2023-03-30T21:10:17.526Z",
"dateUpdated": "2024-08-02T14:00:14.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29062 (GCVE-0-2023-29062)
Vulnerability from cvelistv5 – Published: 2023-11-28 20:34 – Updated: 2024-08-02 14:00
VLAI?
Summary
The Operating System hosting the FACSChorus application is configured to allow transmission of hashed user credentials upon user action without adequately validating the identity of the requested resource. This is possible through the use of LLMNR, MBT-NS, or MDNS and will result in NTLMv2 hashes being sent to a malicious entity position on the local network. These hashes can subsequently be attacked through brute force and cracked if a weak password is used. This attack would only apply to domain joined systems.
Severity ?
CWE
- CWE-287 - Improper Authentication
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Becton, Dickinson and Company (BD) | FACSChorus |
Affected:
5.0 , ≤ 5.1
(custom)
Affected: 3.0 , ≤ 3.1 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:15.040Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-facschorus-software"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"64 bit"
],
"product": "FACSChorus",
"vendor": "Becton, Dickinson and Company (BD)",
"versions": [
{
"lessThanOrEqual": "5.1",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.1",
"status": "affected",
"version": "3.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-11-28T14:24:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Operating System hosting the FACSChorus application is configured to allow transmission of hashed user credentials upon user action without adequately validating the identity of the requested resource. This is possible through the use of LLMNR, MBT-NS, or MDNS and will result in NTLMv2 hashes being sent to a malicious entity position on the local network. These hashes can subsequently be attacked through brute force and cracked if a weak password is used. This attack would only apply to domain joined systems."
}
],
"value": "The Operating System hosting the FACSChorus application is configured to allow transmission of hashed user credentials upon user action without adequately validating the identity of the requested resource. This is possible through the use of LLMNR, MBT-NS, or MDNS and will result in NTLMv2 hashes being sent to a malicious entity position on the local network. These hashes can subsequently be attacked through brute force and cracked if a weak password is used. This attack would only apply to domain joined systems."
}
],
"impacts": [
{
"capecId": "CAPEC-194",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-194 Fake the Source of Data"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-28T20:34:22.945Z",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-facschorus-software"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unsecure Identity Verification",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003c/ul\u003e\n\n\n\nVulnerabilities associated with the BD FACSChorus software and workstations will be addressed in an upcoming release. This bulletin will be updated when more information is available. Please check periodically for updates. Additionally, BD recommends the following mitigations and compensating controls to reduce risk associated with these vulnerabilities. The following recommendations apply to all vulnerabilities listed in this bulletin:\u003cbr\u003e\u003cul\u003e\u003cli\u003eEnsure physical access controls are in place and only authorized end-users have access to the BD FACSChorus Software and respective workstation.\u003c/li\u003e\u003cli\u003eIf the BD FACSChorus workstation is connected to the local network, ensure industry standard network security policies and procedures are followed.\u003c/li\u003e\u003cli\u003eAdministrative access to the FACSChorus software and workstation should be strictly controlled by the customer in collaboration with their local IT security policy.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "\n\n\n\n\nVulnerabilities associated with the BD FACSChorus software and workstations will be addressed in an upcoming release. This bulletin will be updated when more information is available. Please check periodically for updates. Additionally, BD recommends the following mitigations and compensating controls to reduce risk associated with these vulnerabilities. The following recommendations apply to all vulnerabilities listed in this bulletin:\n * Ensure physical access controls are in place and only authorized end-users have access to the BD FACSChorus Software and respective workstation.\n * If the BD FACSChorus workstation is connected to the local network, ensure industry standard network security policies and procedures are followed.\n * Administrative access to the FACSChorus software and workstation should be strictly controlled by the customer in collaboration with their local IT security policy.\n\n\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2023-29062",
"datePublished": "2023-11-28T20:34:22.945Z",
"dateReserved": "2023-03-30T21:10:17.526Z",
"dateUpdated": "2024-08-02T14:00:15.040Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29061 (GCVE-0-2023-29061)
Vulnerability from cvelistv5 – Published: 2023-11-28 20:33 – Updated: 2025-06-03 13:56
VLAI?
Summary
There is no BIOS password on the FACSChorus workstation. A threat actor with physical access to the workstation can potentially exploit this vulnerability to access the BIOS configuration and modify the drive boot order and BIOS pre-boot authentication.
Severity ?
5.2 (Medium)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Becton, Dickinson and Company (BD) | FACSChorus |
Affected:
5.0 , ≤ 5.1
(custom)
Affected: 3.0 , ≤ 3.1 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:14.960Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-facschorus-software"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29061",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2023-12-09T05:05:40.599367Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T13:56:04.911Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"64 bit"
],
"product": "FACSChorus",
"vendor": "Becton, Dickinson and Company (BD)",
"versions": [
{
"lessThanOrEqual": "5.1",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.1",
"status": "affected",
"version": "3.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-11-28T14:24:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is no BIOS password on the FACSChorus workstation. A threat actor with physical access to the workstation can potentially exploit this vulnerability to access the BIOS configuration and modify the drive boot order and BIOS pre-boot authentication."
}
],
"value": "There is no BIOS password on the FACSChorus workstation. A threat actor with physical access to the workstation can potentially exploit this vulnerability to access the BIOS configuration and modify the drive boot order and BIOS pre-boot authentication."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-28T20:33:44.065Z",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-facschorus-software"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Lack of Adequate BIOS Authentication",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003c/ul\u003e\n\n\n\nVulnerabilities associated with the BD FACSChorus software and workstations will be addressed in an upcoming release. This bulletin will be updated when more information is available. Please check periodically for updates. Additionally, BD recommends the following mitigations and compensating controls to reduce risk associated with these vulnerabilities. The following recommendations apply to all vulnerabilities listed in this bulletin:\u003cbr\u003e\u003cul\u003e\u003cli\u003eEnsure physical access controls are in place and only authorized end-users have access to the BD FACSChorus Software and respective workstation.\u003c/li\u003e\u003cli\u003eIf the BD FACSChorus workstation is connected to the local network, ensure industry standard network security policies and procedures are followed.\u003c/li\u003e\u003cli\u003eAdministrative access to the FACSChorus software and workstation should be strictly controlled by the customer in collaboration with their local IT security policy.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "\n\n\n\n\nVulnerabilities associated with the BD FACSChorus software and workstations will be addressed in an upcoming release. This bulletin will be updated when more information is available. Please check periodically for updates. Additionally, BD recommends the following mitigations and compensating controls to reduce risk associated with these vulnerabilities. The following recommendations apply to all vulnerabilities listed in this bulletin:\n * Ensure physical access controls are in place and only authorized end-users have access to the BD FACSChorus Software and respective workstation.\n * If the BD FACSChorus workstation is connected to the local network, ensure industry standard network security policies and procedures are followed.\n * Administrative access to the FACSChorus software and workstation should be strictly controlled by the customer in collaboration with their local IT security policy.\n\n\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2023-29061",
"datePublished": "2023-11-28T20:33:44.065Z",
"dateReserved": "2023-03-30T21:10:17.526Z",
"dateUpdated": "2025-06-03T13:56:04.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29060 (GCVE-0-2023-29060)
Vulnerability from cvelistv5 – Published: 2023-11-28 20:07 – Updated: 2025-06-03 13:56
VLAI?
Summary
The FACSChorus workstation operating system does not restrict what devices can interact with its USB ports. If exploited, a threat actor with physical access to the workstation could gain access to system information and potentially exfiltrate data.
Severity ?
5.4 (Medium)
CWE
- CWE-1299 - Missing Protection Mechanism for Alternate Hardware Interface
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Becton, Dickinson and Company (BD) | FACSChorus |
Affected:
5.0 , ≤ 5.1
(custom)
Affected: 3.0 , ≤ 3.1 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:14.601Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-facschorus-software"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29060",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-03T13:56:36.565415Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T13:56:46.453Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"64 bit"
],
"product": "FACSChorus",
"vendor": "Becton, Dickinson and Company (BD)",
"versions": [
{
"lessThanOrEqual": "5.1",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.1",
"status": "affected",
"version": "3.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-11-28T14:24:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The FACSChorus workstation operating system does not restrict what devices can interact with its USB ports. If exploited, a threat actor with physical access to the workstation could gain access to system information and potentially exfiltrate data."
}
],
"value": "The FACSChorus workstation operating system does not restrict what devices can interact with its USB ports. If exploited, a threat actor with physical access to the workstation could gain access to system information and potentially exfiltrate data."
}
],
"impacts": [
{
"capecId": "CAPEC-457",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-457 USB Memory Attacks"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1299",
"description": "CWE-1299 Missing Protection Mechanism for Alternate Hardware Interface",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-28T20:31:55.731Z",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-facschorus-software"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Lack of USB Whitelisting",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerabilities associated with the BD FACSChorus software and workstations will be addressed in an upcoming release. This bulletin will be updated when more information is available. Please check periodically for updates. Additionally, BD recommends the following mitigations and compensating controls to reduce risk associated with these vulnerabilities. The following recommendations apply to all vulnerabilities listed in this bulletin:\u003cbr\u003e\u003cul\u003e\u003cli\u003eEnsure physical access controls are in place and only authorized end-users have access to the BD FACSChorus Software and respective workstation.\u003c/li\u003e\u003cli\u003eIf the BD FACSChorus workstation is connected to the local network, ensure industry standard network security policies and procedures are followed.\u003c/li\u003e\u003cli\u003eAdministrative access to the FACSChorus software and workstation should be strictly controlled by the customer in collaboration with their local IT security policy.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "Vulnerabilities associated with the BD FACSChorus software and workstations will be addressed in an upcoming release. This bulletin will be updated when more information is available. Please check periodically for updates. Additionally, BD recommends the following mitigations and compensating controls to reduce risk associated with these vulnerabilities. The following recommendations apply to all vulnerabilities listed in this bulletin:\n * Ensure physical access controls are in place and only authorized end-users have access to the BD FACSChorus Software and respective workstation.\n * If the BD FACSChorus workstation is connected to the local network, ensure industry standard network security policies and procedures are followed.\n * Administrative access to the FACSChorus software and workstation should be strictly controlled by the customer in collaboration with their local IT security policy.\n\n\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2023-29060",
"datePublished": "2023-11-28T20:07:00.245Z",
"dateReserved": "2023-03-30T21:10:17.526Z",
"dateUpdated": "2025-06-03T13:56:46.453Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-30565 (GCVE-0-2023-30565)
Vulnerability from cvelistv5 – Published: 2023-07-13 19:06 – Updated: 2024-10-22 15:36
VLAI?
Summary
An insecure connection between Systems Manager and CQI Reporter application could expose infusion data to an attacker.
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Becton Dickinson & Co | CQI Reporter |
Affected:
0 , ≤ 10.17
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:28:51.783Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-30565",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T15:23:26.688644Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:36:36.823Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CQI Reporter",
"vendor": "Becton Dickinson \u0026 Co",
"versions": [
{
"lessThanOrEqual": "10.17",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-07-13T15:32:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An insecure connection between Systems Manager and CQI Reporter application could expose infusion data to an attacker."
}
],
"value": "An insecure connection between Systems Manager and CQI Reporter application could expose infusion data to an attacker."
}
],
"impacts": [
{
"capecId": "CAPEC-158",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-158 Sniffing Network Traffic"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-924",
"description": "CWE-924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-26T15:51:18.816Z",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nBD recommends customers update to the BD Alaris\u00e2\u201e\u00a2 System v12.3, where available based on regulatory authorization. Customers who require software updates should contact their BD Account Executive to assist with scheduling the remediation.\n\n\u003cbr\u003e"
}
],
"value": "\nBD recommends customers update to the BD Alaris\u00e2\u201e\u00a2 System v12.3, where available based on regulatory authorization. Customers who require software updates should contact their BD Account Executive to assist with scheduling the remediation.\n\n\n"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": " CQI Data Sniffing ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2023-30565",
"datePublished": "2023-07-13T19:06:18.280Z",
"dateReserved": "2023-04-12T16:30:07.537Z",
"dateUpdated": "2024-10-22T15:36:36.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-30564 (GCVE-0-2023-30564)
Vulnerability from cvelistv5 – Published: 2023-07-13 19:06 – Updated: 2024-10-22 15:48
VLAI?
Summary
Alaris Systems Manager does not perform input validation during the Device Import Function.
Severity ?
6.9 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Becton Dickinson & Co | BD Alarisâ„¢ Systems Manager |
Affected:
0 , ≤ 12.3
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:28:51.639Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-30564",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T15:23:34.304469Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:48:40.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BD Alaris\u00e2\u201e\u00a2 Systems Manager",
"vendor": "Becton Dickinson \u0026 Co",
"versions": [
{
"lessThanOrEqual": "12.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-07-13T15:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Alaris Systems Manager does not perform input validation during the Device Import Function."
}
],
"value": "Alaris Systems Manager does not perform input validation during the Device Import Function."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-26T15:51:01.853Z",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nBD recommends customers update to the BD Alaris\u00e2\u201e\u00a2 System v12.3, where available based on regulatory authorization. Customers who require software updates should contact their BD Account Executive to assist with scheduling the remediation.\n\n\u003cbr\u003e"
}
],
"value": "\nBD recommends customers update to the BD Alaris\u00e2\u201e\u00a2 System v12.3, where available based on regulatory authorization. Customers who require software updates should contact their BD Account Executive to assist with scheduling the remediation.\n\n\n"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Stored Cross-Site Scripting on Device Import Functionality",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2023-30564",
"datePublished": "2023-07-13T19:06:02.948Z",
"dateReserved": "2023-04-12T16:30:07.537Z",
"dateUpdated": "2024-10-22T15:48:40.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-30563 (GCVE-0-2023-30563)
Vulnerability from cvelistv5 – Published: 2023-07-13 19:04 – Updated: 2024-10-22 15:48
VLAI?
Summary
A malicious file could be uploaded into a System Manager User Import Function resulting in a hijacked session.
Severity ?
8.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Becton Dickinson & Co | BD Alarisâ„¢ Systems Manager |
Affected:
0 , ≤ 12.3
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:28:51.805Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-30563",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T15:29:53.107117Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:48:57.063Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BD Alaris\u00e2\u201e\u00a2 Systems Manager",
"vendor": "Becton Dickinson \u0026 Co",
"versions": [
{
"lessThanOrEqual": "12.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-07-13T15:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A malicious file could be uploaded into a System Manager User Import Function resulting in a hijacked session."
}
],
"value": "A malicious file could be uploaded into a System Manager User Import Function resulting in a hijacked session."
}
],
"impacts": [
{
"capecId": "CAPEC-76",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-76 Manipulating Web Input to File System Calls"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-26T15:50:45.759Z",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "BD recommends customers update to the BD Alaris\u00e2\u201e\u00a2 System v12.3, where available based on regulatory authorization. Customers who require software updates should contact their BD Account Executive to assist with scheduling the remediation.\u003cbr\u003e"
}
],
"value": "BD recommends customers update to the BD Alaris\u00e2\u201e\u00a2 System v12.3, where available based on regulatory authorization. Customers who require software updates should contact their BD Account Executive to assist with scheduling the remediation.\n"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Stored Cross-Site Scripting on User Import Functionality ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2023-30563",
"datePublished": "2023-07-13T19:04:43.518Z",
"dateReserved": "2023-04-12T16:30:07.537Z",
"dateUpdated": "2024-10-22T15:48:57.063Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-30562 (GCVE-0-2023-30562)
Vulnerability from cvelistv5 – Published: 2023-07-13 19:03 – Updated: 2024-10-22 16:07
VLAI?
Summary
A GRE dataset file within Systems Manager can be tampered with and distributed to PCUs.
Severity ?
6.7 (Medium)
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Becton Dickinson & Co | BD Alarisâ„¢ Guardrailsâ„¢ Editor |
Affected:
0 , ≤ 12.1.2
(custom)
Affected: 0 , ≤ 12.3 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:28:51.621Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-30562",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T15:49:05.412286Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T16:07:32.582Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BD Alaris\u00e2\u201e\u00a2 Guardrails\u00e2\u201e\u00a2 Editor",
"vendor": "Becton Dickinson \u0026 Co",
"versions": [
{
"lessThanOrEqual": "12.1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "12.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-07-13T15:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A GRE dataset file within Systems Manager can be tampered with and distributed to PCUs. \n\n\n\n"
}
],
"value": "A GRE dataset file within Systems Manager can be tampered with and distributed to PCUs. \n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-17",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-17 Using Malicious Files"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "For the BD Alaris\u00e2\u201e\u00a2 Infusion System 12.1.3 (GRE 12.1.2) and earlier versions"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "For the BD Alaris\u00e2\u201e\u00a2 Infusion System version 12.3 (GRE 12.1.3)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345 Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-26T16:45:05.543Z",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Lack of Dataset Integrity Checking ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2023-30562",
"datePublished": "2023-07-13T19:03:32.964Z",
"dateReserved": "2023-04-12T16:30:07.537Z",
"dateUpdated": "2024-10-22T16:07:32.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-30561 (GCVE-0-2023-30561)
Vulnerability from cvelistv5 – Published: 2023-07-13 19:03 – Updated: 2024-10-22 16:07
VLAI?
Summary
The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running.
Severity ?
6.1 (Medium)
CWE
- CWE-311 - Missing Encryption of Sensitive Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Becton Dickinson & Co | BD Alarisâ„¢ Point-of-Care Unit (PCU) Model 8015 |
Affected:
0 , ≤ 12.1.3
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:28:51.672Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-30561",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T15:49:18.852817Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T16:07:16.822Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BD Alaris\u00e2\u201e\u00a2 Point-of-Care Unit (PCU) Model 8015",
"vendor": "Becton Dickinson \u0026 Co",
"versions": [
{
"lessThanOrEqual": "12.1.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-07-13T18:56:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running."
}
],
"value": "The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running."
}
],
"impacts": [
{
"capecId": "CAPEC-390",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-390 Bypassing Physical Security"
}
]
},
{
"capecId": "CAPEC-94",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-94 Man in the Middle Attack"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-311",
"description": "CWE-311 Missing Encryption of Sensitive Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-13T19:03:17.356Z",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Lack of Cryptographic Security of IUI Bus ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2023-30561",
"datePublished": "2023-07-13T19:03:17.356Z",
"dateReserved": "2023-04-12T16:30:07.537Z",
"dateUpdated": "2024-10-22T16:07:16.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-30560 (GCVE-0-2023-30560)
Vulnerability from cvelistv5 – Published: 2023-07-13 18:53 – Updated: 2024-10-31 17:33
VLAI?
Summary
The configuration from the PCU can be modified without authentication using physical connection to the PCU.
Severity ?
6.8 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Becton Dickinson & Co | BD Alarisâ„¢ Point-of-Care Unit (PCU) Model 8015 |
Affected:
0 , ≤ 12.1.3
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:28:51.941Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:h:becton_dickinson_and_co:bd_alarisa_point_of_care_unit_model_8015:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bd_alarisa_point_of_care_unit_model_8015",
"vendor": "becton_dickinson_and_co",
"versions": [
{
"status": "affected",
"version": "0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-30560",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-31T17:29:20.439171Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-31T17:33:02.007Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BD Alaris\u00e2\u201e\u00a2 Point-of-Care Unit (PCU) Model 8015",
"vendor": "Becton Dickinson \u0026 Co ",
"versions": [
{
"lessThanOrEqual": "12.1.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-07-13T18:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe configuration from the PCU can be modified without authentication using physical connection to the PCU. \u003c/p\u003e\n\n\n\n\n\n"
}
],
"value": "The configuration from the PCU can be modified without authentication using physical connection to the PCU. \n\n\n\n\n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-114",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-114 Authentication Abuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-13T18:53:49.951Z",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": " PCU Configuration Lacks Authentication",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2023-30560",
"datePublished": "2023-07-13T18:53:49.951Z",
"dateReserved": "2023-04-12T16:30:07.536Z",
"dateUpdated": "2024-10-31T17:33:02.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-30559 (GCVE-0-2023-30559)
Vulnerability from cvelistv5 – Published: 2023-07-13 17:50 – Updated: 2024-08-02 14:28
VLAI?
Summary
The firmware update package for the wireless card is not properly signed and can be modified.
Severity ?
5.2 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Becton Dickinson & Co | BD Alaris™ Point-of-Care Unit (PCU) Model 8015 |
Affected:
0 , ≤ 12.1.3
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:28:51.809Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BD Alaris\u2122 Point-of-Care Unit (PCU) Model 8015",
"vendor": "Becton Dickinson \u0026 Co ",
"versions": [
{
"lessThanOrEqual": "12.1.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-07-13T14:59:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The firmware update package for the wireless card is not properly signed and can be modified."
}
],
"value": "The firmware update package for the wireless card is not properly signed and can be modified."
}
],
"impacts": [
{
"capecId": "CAPEC-638",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-638 Altered Component Firmware"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345 Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-08T21:52:28.547Z",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Wireless Card Firmware Improperly Signed",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2023-30559",
"datePublished": "2023-07-13T17:50:13.176Z",
"dateReserved": "2023-04-12T16:30:07.536Z",
"dateUpdated": "2024-08-02T14:28:51.809Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-47376 (GCVE-0-2022-47376)
Vulnerability from cvelistv5 – Published: 2023-06-13 00:00 – Updated: 2025-01-03 18:09
VLAI?
Summary
The Alaris Infusion Central software, versions 1.1 to 1.3.2, may contain a recoverable password after the installation. No patient health data is stored in the database, although some site installations may choose to store personal data.
Severity ?
7.3 (High)
CWE
- CWE-257 - Storing Passwords in a Recoverable Format
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Alaris Infusion Central |
Affected:
<=1.3.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:55:07.009Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/alaris-infusion-central-recoverable-password-vulnerability"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-47376",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-03T18:09:00.169823Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T18:09:04.739Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Alaris Infusion Central",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "\u003c=1.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Alaris Infusion Central software, versions 1.1 to 1.3.2, may contain a recoverable password after the installation. No patient health data is stored in the database, although some site installations may choose to store personal data."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-257",
"description": "CWE-257: Storing Passwords in a Recoverable Format",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-13T00:00:00",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/alaris-infusion-central-recoverable-password-vulnerability"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2022-47376",
"datePublished": "2023-06-13T00:00:00",
"dateReserved": "2022-12-13T00:00:00",
"dateUpdated": "2025-01-03T18:09:04.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-43557 (GCVE-0-2022-43557)
Vulnerability from cvelistv5 – Published: 2022-12-05 00:00 – Updated: 2025-04-23 15:47
VLAI?
Summary
The BD BodyGuard™ infusion pumps specified allow for access through the RS-232 (serial) port interface. If exploited, threat actors with physical access, specialized equipment and knowledge may be able to configure or disable the pump. No electronic protected health information (ePHI), protected health information (PHI) or personally identifiable information (PII) is stored in the pump.
Severity ?
5.3 (Medium)
CWE
- CWE-1299 - Missing Protection Mechanism for Alternate Hardware Interface
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Becton, Dickinson and Company (BD) | BodyGuard™ Pump |
Affected:
BD BodyGuard™
Affected: CME BodyGuard™ 323 (2nd Edition) Affected: CME BodyGuard™ 323 Color Vision (2nd Edition) Affected: CME BodyGuard™ 323 Color Vision (3rd Edition) Affected: CME BodyGuard™ Twins (2nd Edition) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:32:59.566Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-bodyguard-pumps-rs-232-interface-vulnerability"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-43557",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:46:47.466198Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T15:47:10.734Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BodyGuard\u2122 Pump",
"vendor": "Becton, Dickinson and Company (BD)",
"versions": [
{
"status": "affected",
"version": "BD BodyGuard\u2122 "
},
{
"status": "affected",
"version": "CME BodyGuard\u2122 323 (2nd Edition)"
},
{
"status": "affected",
"version": "CME BodyGuard\u2122 323 Color Vision (2nd Edition)"
},
{
"status": "affected",
"version": "CME BodyGuard\u2122 323 Color Vision (3rd Edition)"
},
{
"status": "affected",
"version": "CME BodyGuard\u2122 Twins (2nd Edition)"
}
]
}
],
"datePublic": "2022-10-20T04:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The BD BodyGuard\u2122 infusion pumps specified allow for access through the RS-232\u0026nbsp;(serial) port interface. If exploited, threat actors with physical access, specialized equipment and\u0026nbsp;knowledge may be able to configure or disable the pump. No electronic protected health information\u0026nbsp;(ePHI), protected health information (PHI) or personally identifiable information (PII) is stored in the\u0026nbsp;pump."
}
],
"value": "The BD BodyGuard\u2122 infusion pumps specified allow for access through the RS-232\u00a0(serial) port interface. If exploited, threat actors with physical access, specialized equipment and\u00a0knowledge may be able to configure or disable the pump. No electronic protected health information\u00a0(ePHI), protected health information (PHI) or personally identifiable information (PII) is stored in the\u00a0pump."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1299",
"description": "CWE-1299 Missing Protection Mechanism for Alternate Hardware Interface",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-27T20:05:04.787Z",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-bodyguard-pumps-rs-232-interface-vulnerability"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "BD BodyGuard\u2122 Pumps \u2013 RS-232 Interface Vulnerability",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "BD recommends the following mitigations and compensating controls to reduce risk associated with this\u003cbr\u003evulnerability:\u003cbr\u003e\u2022 Ensure physical access controls are in place and only authorized end-users have access to\u003cbr\u003eBD BodyGuard\u2122 pumps.\u003cbr\u003e\u2022 Ensure that only BD-approved equipment is connected to the RS-232 interface of the affected pumps.\u003cbr\u003e\u2022 Ensure that no equipment is connected to the RS-232 interface when the affected pumps are delivering\u003cbr\u003einfusions.\u003cbr\u003e\u2022 Protect connected computer systems with BodyComm\u2122 software with standard security measures.\u003cbr\u003e"
}
],
"value": "BD recommends the following mitigations and compensating controls to reduce risk associated with this\nvulnerability:\n\u2022 Ensure physical access controls are in place and only authorized end-users have access to\nBD BodyGuard\u2122 pumps.\n\u2022 Ensure that only BD-approved equipment is connected to the RS-232 interface of the affected pumps.\n\u2022 Ensure that no equipment is connected to the RS-232 interface when the affected pumps are delivering\ninfusions.\n\u2022 Protect connected computer systems with BodyComm\u2122 software with standard security measures.\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2022-43557",
"datePublished": "2022-12-05T00:00:00.000Z",
"dateReserved": "2022-10-20T00:00:00.000Z",
"dateUpdated": "2025-04-23T15:47:10.734Z",
"serial": 1,
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40263 (GCVE-0-2022-40263)
Vulnerability from cvelistv5 – Published: 2022-11-04 18:58 – Updated: 2025-04-30 20:26
VLAI?
Summary
BD Totalys MultiProcessor, versions 1.70 and earlier, contain hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). Customers using BD Totalys MultiProcessor version 1.70 with Microsoft Windows 10 have additional operating system hardening configurations which increase the attack complexity required to exploit this vulnerability.
Severity ?
6.6 (Medium)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Becton Dickson (BD) | BD Totalys MultiProcessor |
Affected:
1.70 , ≤ 1.70
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:14:39.984Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-totalys-multiprocessor-hardcoded-credentials"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-40263",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-30T20:26:30.689709Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T20:26:41.219Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "BD Totalys MultiProcessor",
"vendor": "Becton Dickson (BD)",
"versions": [
{
"lessThanOrEqual": "1.70",
"status": "affected",
"version": "1.70",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-10-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "BD Totalys MultiProcessor, versions 1.70 and earlier, contain hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). Customers using BD Totalys MultiProcessor version 1.70 with Microsoft Windows 10 have additional operating system hardening configurations which increase the attack complexity required to exploit this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-04T00:00:00.000Z",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-totalys-multiprocessor-hardcoded-credentials"
}
],
"solutions": [
{
"lang": "en",
"value": "This vulnerability is scheduled to be remediated in the BD Totalys MultiProcessor version 1.71 software release expected in the fourth quarter of 2022."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "BD Totalys MultiProcessor - Hardcoded Credentials",
"workarounds": [
{
"lang": "en",
"value": "Ensure physical access controls are in place and only authorized end-users have access to the BD Totalys\u2122 MultiProcessor. If the BD Totalys MultiProcessor must be connected to a network, ensure industry standard network security policies and procedures are followed."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2022-40263",
"datePublished": "2022-11-04T18:58:53.817Z",
"dateReserved": "2022-09-08T00:00:00.000Z",
"dateUpdated": "2025-04-30T20:26:41.219Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-30277 (GCVE-0-2022-30277)
Vulnerability from cvelistv5 – Published: 2022-06-01 16:38 – Updated: 2024-09-16 17:43
VLAI?
Summary
BD Synapsys™, versions 4.20, 4.20 SR1, and 4.30, contain an insufficient session expiration vulnerability. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII).
Severity ?
5.7 (Medium)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Becton Dickinson (BD) | BD Synapsys™ |
Affected:
4.20 , ≤ 4.30
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:48:36.283Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-synapsys-insufficient-session-expiration"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "BD Synapsys\u2122",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"lessThanOrEqual": "4.30",
"status": "affected",
"version": "4.20",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "To exploit this vulnerability, a threat actor would need to gain access to the customer environment and physical access to a BD Synapsys\u2122 workstation."
}
],
"datePublic": "2022-05-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "BD Synapsys\u2122, versions 4.20, 4.20 SR1, and 4.30, contain an insufficient session expiration vulnerability. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-01T16:38:50",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-synapsys-insufficient-session-expiration"
}
],
"solutions": [
{
"lang": "en",
"value": "BD Synapsys\u2122 v4.20 SR2 will be released in June 2022 and will remediate this vulnerability. Customers receiving BD Synapsys\u2122 v4.30 will be allowed to upgrade to v5.10, which is expected to be available by August 2022."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "BD Synapsys\u2122 \u2013 Insufficient Session Expiration",
"workarounds": [
{
"lang": "en",
"value": "Configure the inactivity session timeout in the operating system to match the session expiration timeout in BD Synapsys\u2122. \n\nEnsure physical access controls are in place and only authorized end-users have access to BD Synapsys\u2122 workstations. \n\nPlace a reminder at each computer for users to logout when leaving the BD Synapsys\u2122 workstation. \n\nEnsure industry standard network security policies and procedures are followed."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@bd.com",
"DATE_PUBLIC": "2022-05-31T15:00:00.000Z",
"ID": "CVE-2022-30277",
"STATE": "PUBLIC",
"TITLE": "BD Synapsys\u2122 \u2013 Insufficient Session Expiration"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "BD Synapsys\u2122",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "4.20",
"version_value": "4.30"
}
]
}
}
]
},
"vendor_name": "Becton Dickinson (BD)"
}
]
}
},
"configuration": [
{
"lang": "en",
"value": "To exploit this vulnerability, a threat actor would need to gain access to the customer environment and physical access to a BD Synapsys\u2122 workstation."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BD Synapsys\u2122, versions 4.20, 4.20 SR1, and 4.30, contain an insufficient session expiration vulnerability. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII)."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-613 Insufficient Session Expiration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cybersecurity.bd.com/bulletins-and-patches/bd-synapsys-insufficient-session-expiration",
"refsource": "CONFIRM",
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-synapsys-insufficient-session-expiration"
}
]
},
"solution": [
{
"lang": "en",
"value": "BD Synapsys\u2122 v4.20 SR2 will be released in June 2022 and will remediate this vulnerability. Customers receiving BD Synapsys\u2122 v4.30 will be allowed to upgrade to v5.10, which is expected to be available by August 2022."
}
],
"source": {
"discovery": "INTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Configure the inactivity session timeout in the operating system to match the session expiration timeout in BD Synapsys\u2122. \n\nEnsure physical access controls are in place and only authorized end-users have access to BD Synapsys\u2122 workstations. \n\nPlace a reminder at each computer for users to logout when leaving the BD Synapsys\u2122 workstation. \n\nEnsure industry standard network security policies and procedures are followed."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2022-30277",
"datePublished": "2022-06-01T16:38:50.425711Z",
"dateReserved": "2022-05-04T00:00:00",
"dateUpdated": "2024-09-16T17:43:27.280Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22767 (GCVE-0-2022-22767)
Vulnerability from cvelistv5 – Published: 2022-06-01 16:35 – Updated: 2024-09-16 16:42
VLAI?
Summary
Specific BD Pyxis™ products were installed with default credentials and may presently still operate with these credentials. There may be scenarios where BD Pyxis™ products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. If exploited, threat actors may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to ePHI or other sensitive information.
Severity ?
8.8 (High)
CWE
- CWE-262 - Not Using Password Aging
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:21:49.167Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products-default-credentials"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "BD Pyxis\u2122 Anesthesia ES Station",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 CIISafe",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 Logistics",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 MedBank",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 MedStation\u2122 4000",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 MedStation\u2122 ES",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 MedStation\u2122 ES Server",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 ParAssist",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 Rapid Rx",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 StockStation",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 SupplyCenter",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 SupplyRoller",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 SupplyStation\u2122",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 SupplyStation\u2122 EC",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Pyxis\u2122 SupplyStation\u2122 RF auxiliary",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"product": "BD Rowa\u2122 Pouch Packaging Systems",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "To exploit this vulnerability, threat actors would have to gain access to the default credentials, infiltrate facility\u2019s network, and gain access to individual devices and/or servers."
}
],
"datePublic": "2022-05-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Specific BD Pyxis\u2122 products were installed with default credentials and may presently still operate with these credentials. There may be scenarios where BD Pyxis\u2122 products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. If exploited, threat actors may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to ePHI or other sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-262",
"description": "CWE-262: Not Using Password Aging",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-01T16:35:38",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products-default-credentials"
}
],
"solutions": [
{
"lang": "en",
"value": "BD is currently strengthening our credential management capabilities in BD Pyxis\u2122 products. Service personnel are proactively working with customers whose domain-joined server(s) credentials require updates. BD is currently piloting a credential management solution that is initially targeted for only specific BD Pyxis\u2122 product versions and will allow for improved authentication management practices with specific local operating system credentials. Changes needed for installation, upgrade or to applications are being evaluated as part of the overall remediation."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "BD Pyxis\u2122 Products \u2013 Default Credentials",
"workarounds": [
{
"lang": "en",
"value": "Limit physical access to only authorized personnel."
},
{
"lang": "en",
"value": "Tightly control management of system passwords provided to authorized users."
},
{
"lang": "en",
"value": "Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed."
},
{
"lang": "en",
"value": "Work with your local BD support team to ensure that patching and virus definitions are up to date. The BD Remote Support Services Solution for automated patching and virus definition management is an available solution for customer accounts."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@bd.com",
"DATE_PUBLIC": "2022-05-31T15:00:00.000Z",
"ID": "CVE-2022-22767",
"STATE": "PUBLIC",
"TITLE": "BD Pyxis\u2122 Products \u2013 Default Credentials"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "BD Pyxis\u2122 Anesthesia ES Station",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 CIISafe",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 Logistics",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 MedBank",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 MedStation\u2122 4000",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 MedStation\u2122 ES",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 MedStation\u2122 ES Server",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 ParAssist",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 Rapid Rx",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 StockStation",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 SupplyCenter",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 SupplyRoller",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 SupplyStation\u2122",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 SupplyStation\u2122 EC",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Pyxis\u2122 SupplyStation\u2122 RF auxiliary",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
},
{
"product_name": "BD Rowa\u2122 Pouch Packaging Systems",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
}
]
},
"vendor_name": "Becton Dickinson (BD)"
}
]
}
},
"configuration": [
{
"lang": "en",
"value": "To exploit this vulnerability, threat actors would have to gain access to the default credentials, infiltrate facility\u2019s network, and gain access to individual devices and/or servers."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Specific BD Pyxis\u2122 products were installed with default credentials and may presently still operate with these credentials. There may be scenarios where BD Pyxis\u2122 products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. If exploited, threat actors may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to ePHI or other sensitive information."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-262: Not Using Password Aging"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products-default-credentials",
"refsource": "CONFIRM",
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products-default-credentials"
}
]
},
"solution": [
{
"lang": "en",
"value": "BD is currently strengthening our credential management capabilities in BD Pyxis\u2122 products. Service personnel are proactively working with customers whose domain-joined server(s) credentials require updates. BD is currently piloting a credential management solution that is initially targeted for only specific BD Pyxis\u2122 product versions and will allow for improved authentication management practices with specific local operating system credentials. Changes needed for installation, upgrade or to applications are being evaluated as part of the overall remediation."
}
],
"source": {
"discovery": "INTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Limit physical access to only authorized personnel."
},
{
"lang": "en",
"value": "Tightly control management of system passwords provided to authorized users."
},
{
"lang": "en",
"value": "Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed."
},
{
"lang": "en",
"value": "Work with your local BD support team to ensure that patching and virus definitions are up to date. The BD Remote Support Services Solution for automated patching and virus definition management is an available solution for customer accounts."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2022-22767",
"datePublished": "2022-06-01T16:35:38.991672Z",
"dateReserved": "2022-01-07T00:00:00",
"dateUpdated": "2024-09-16T16:42:50.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22765 (GCVE-0-2022-22765)
Vulnerability from cvelistv5 – Published: 2022-02-12 02:30 – Updated: 2024-09-17 02:58
VLAI?
Summary
BD Viper LT system, versions 2.0 and later, contains hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). BD Viper LT system versions 4.0 and later utilize Microsoft Windows 10 and have additional Operating System hardening configurations which increase the attack complexity required to exploit this vulnerability.
Severity ?
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Becton Dickinson (BD) | BD Viper LT System |
Affected:
next of 2.0 , < unspecified
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:21:49.105Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-viper-lt-system-%E2%80%93-hardcoded-credentials"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "BD Viper LT System",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "next of 2.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-02-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "BD Viper LT system, versions 2.0 and later, contains hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). BD Viper LT system versions 4.0 and later utilize Microsoft Windows 10 and have additional Operating System hardening configurations which increase the attack complexity required to exploit this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-09T15:26:14",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-viper-lt-system-%E2%80%93-hardcoded-credentials"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-02"
}
],
"solutions": [
{
"lang": "en",
"value": "The fix is expected in BD Viper LT system version 4.80 software release."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "BD Viper LT System - Hardcoded Credentials",
"workarounds": [
{
"lang": "en",
"value": "Ensure physical access controls are in place and only authorized end-users have access to the BD Viper\u00e2\u201e\u00a2 LT system. Disconnect the BD Viper LT system from network access, where applicable. If the BD Viper LT system must be connected to a network, ensure industry standard network security policies and procedures are followed."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@bd.com",
"DATE_PUBLIC": "2022-02-11T21:00:00.000Z",
"ID": "CVE-2022-22765",
"STATE": "PUBLIC",
"TITLE": "BD Viper LT System - Hardcoded Credentials"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "BD Viper LT System",
"version": {
"version_data": [
{
"version_affected": "\u003e",
"version_value": "2.0"
}
]
}
}
]
},
"vendor_name": "Becton Dickinson (BD)"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BD Viper LT system, versions 2.0 and later, contains hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). BD Viper LT system versions 4.0 and later utilize Microsoft Windows 10 and have additional Operating System hardening configurations which increase the attack complexity required to exploit this vulnerability."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-798 Use of Hard-coded Credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cybersecurity.bd.com/bulletins-and-patches/bd-viper-lt-system-%E2%80%93-hardcoded-credentials",
"refsource": "CONFIRM",
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-viper-lt-system-%E2%80%93-hardcoded-credentials"
},
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-02",
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-02"
}
]
},
"solution": [
{
"lang": "en",
"value": "The fix is expected in BD Viper LT system version 4.80 software release."
}
],
"source": {
"discovery": "INTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Ensure physical access controls are in place and only authorized end-users have access to the BD Viper\u00e2\u201e\u00a2 LT system. Disconnect the BD Viper LT system from network access, where applicable. If the BD Viper LT system must be connected to a network, ensure industry standard network security policies and procedures are followed."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2022-22765",
"datePublished": "2022-02-12T02:30:40.024621Z",
"dateReserved": "2022-01-07T00:00:00",
"dateUpdated": "2024-09-17T02:58:09.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22766 (GCVE-0-2022-22766)
Vulnerability from cvelistv5 – Published: 2022-02-11 18:12 – Updated: 2024-09-16 19:15
VLAI?
Summary
Hardcoded credentials are used in specific BD Pyxis products. If exploited, threat actors may be able to gain access to the underlying file system and could potentially exploit application files for information that could be used to decrypt application credentials or gain access to electronic protected health information (ePHI) or other sensitive information.
Severity ?
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Becton Dickinson (BD) | BD Pyxis Anesthesia Station ES |
Affected:
All
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:21:49.148Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products---hardcoded-credentials"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "BD Pyxis Anesthesia Station ES",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis Anesthesia Station 4000",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis CATO",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis CIISafe",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis Inventory Connect",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis IV Prep",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis JITrBUD",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis KanBan RF",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis Logistics",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis Med Link Family",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis MedBank",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis MedStation 4000",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis MedStation ES",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis MedStation ES Server",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis ParAssist",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis PharmoPack",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis ProcedureStation (including EC)",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis Rapid Rx",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis StockStation",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis SupplyCenter",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis SupplyRoller",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis SupplyStation (including RF, EC, CP)",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Pyxis Track and Deliver",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
},
{
"product": "BD Rowa Pouch Packaging Systems",
"vendor": "Becton Dickinson (BD)",
"versions": [
{
"status": "affected",
"version": "All"
}
]
}
],
"datePublic": "2022-02-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Hardcoded credentials are used in specific BD Pyxis products. If exploited, threat actors may be able to gain access to the underlying file system and could potentially exploit application files for information that could be used to decrypt application credentials or gain access to electronic protected health information (ePHI) or other sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-09T15:28:22",
"orgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"shortName": "BD"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products---hardcoded-credentials"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-01"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "BD Pyxis Products - Hardcoded Credentials",
"workarounds": [
{
"lang": "en",
"value": "Limit physical access to the device to only authorized personnel. Tightly control management of BD Pyxis system credentials provided to authorized users. Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed. Monitor and log all network traffic attempting to reach the affected products for suspicious activity. Work with your local BD support team ensure all patching and virus definitions are up to date. The Pyxis Security Module for automated patching and virus definition management is provided to all accounts."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@bd.com",
"DATE_PUBLIC": "2022-02-12T04:00:00.000Z",
"ID": "CVE-2022-22766",
"STATE": "PUBLIC",
"TITLE": "BD Pyxis Products - Hardcoded Credentials"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "BD Pyxis Anesthesia Station ES",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis Anesthesia Station 4000",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis CATO",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis CIISafe",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis Inventory Connect",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis IV Prep",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis JITrBUD",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis KanBan RF",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis Logistics",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis Med Link Family",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis MedBank",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis MedStation 4000",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis MedStation ES",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis MedStation ES Server",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis ParAssist",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis PharmoPack",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis ProcedureStation (including EC)",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis Rapid Rx",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis StockStation",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis SupplyCenter",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis SupplyRoller",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis SupplyStation (including RF, EC, CP)",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Pyxis Track and Deliver",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
},
{
"product_name": "BD Rowa Pouch Packaging Systems",
"version": {
"version_data": [
{
"version_value": "All"
}
]
}
}
]
},
"vendor_name": "Becton Dickinson (BD)"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Hardcoded credentials are used in specific BD Pyxis products. If exploited, threat actors may be able to gain access to the underlying file system and could potentially exploit application files for information that could be used to decrypt application credentials or gain access to electronic protected health information (ePHI) or other sensitive information."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-798 Use of Hard-coded Credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products---hardcoded-credentials",
"refsource": "CONFIRM",
"url": "https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products---hardcoded-credentials"
},
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-01",
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-062-01"
}
]
},
"source": {
"discovery": "INTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Limit physical access to the device to only authorized personnel. Tightly control management of BD Pyxis system credentials provided to authorized users. Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed. Monitor and log all network traffic attempting to reach the affected products for suspicious activity. Work with your local BD support team ensure all patching and virus definitions are up to date. The Pyxis Security Module for automated patching and virus definition management is provided to all accounts."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "2325d071-eabf-4b7b-a4ea-0819b6629a18",
"assignerShortName": "BD",
"cveId": "CVE-2022-22766",
"datePublished": "2022-02-11T18:12:07.247407Z",
"dateReserved": "2022-01-07T00:00:00",
"dateUpdated": "2024-09-16T19:15:26.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}