Search criteria
12 vulnerabilities found for access_controller by cassianetworks
FKIE_CVE-2023-35794
Vulnerability from fkie_nvd - Published: 2023-10-27 21:15 - Updated: 2024-11-21 08:08
Severity ?
Summary
An issue was discovered in Cassia Access Controller 2.1.1.2303271039. The Web SSH terminal endpoint (spawned console) can be accessed without authentication. Specifically, there is no session cookie validation on the Access Controller; instead, there is only Basic Authentication to the SSH console.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cassianetworks | access_controller | 2.1.1.2303271039 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cassianetworks:access_controller:2.1.1.2303271039:*:*:*:*:*:*:*",
"matchCriteriaId": "AD4C512A-48EB-43EB-9CAA-CE05673F71D5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Cassia Access Controller 2.1.1.2303271039. The Web SSH terminal endpoint (spawned console) can be accessed without authentication. Specifically, there is no session cookie validation on the Access Controller; instead, there is only Basic Authentication to the SSH console."
},
{
"lang": "es",
"value": "Se descubri\u00f3 un problema en Cassia Access Controller 2.1.1.2303271039. Se puede acceder al endpoint del terminal Web SSH (consola generada) sin autenticaci\u00f3n. Espec\u00edficamente, no existe una validaci\u00f3n de cookies de sesi\u00f3n en el Controlador de Acceso; en cambio, solo existe Autenticaci\u00f3n B\u00e1sica para la consola SSH."
}
],
"id": "CVE-2023-35794",
"lastModified": "2024-11-21T08:08:43.310",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-27T21:15:08.513",
"references": [
{
"source": "cve@mitre.org",
"url": "https://blog.kscsc.online/cves/202335794/md.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Dodge-MPTC/CVE-2023-35794-WebSSH-Hijacking"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.cassianetworks.com/products/iot-access-controller/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://blog.kscsc.online/cves/202335794/md.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Dodge-MPTC/CVE-2023-35794-WebSSH-Hijacking"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.cassianetworks.com/products/iot-access-controller/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-35793
Vulnerability from fkie_nvd - Published: 2023-09-27 15:18 - Updated: 2024-11-21 08:08
Severity ?
Summary
An issue was discovered in Cassia Access Controller 2.1.1.2303271039. Establishing a web SSH session to gateways is vulnerable to Cross Site Request Forgery (CSRF) attacks.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cassianetworks | access_controller | 2.1.1.2303271039 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cassianetworks:access_controller:2.1.1.2303271039:*:*:*:*:*:*:*",
"matchCriteriaId": "AD4C512A-48EB-43EB-9CAA-CE05673F71D5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Cassia Access Controller 2.1.1.2303271039. Establishing a web SSH session to gateways is vulnerable to Cross Site Request Forgery (CSRF) attacks."
},
{
"lang": "es",
"value": "Se descubri\u00f3 un problema en Cassia Access Controller 2.1.1.2303271039. Establecer una sesi\u00f3n web SSH para puertas de enlace es vulnerable a ataques de Cross Site Request Forgery (CSRF)."
}
],
"id": "CVE-2023-35793",
"lastModified": "2024-11-21T08:08:43.157",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-27T15:18:52.857",
"references": [
{
"source": "cve@mitre.org",
"url": "https://blog.kscsc.online/cves/202335793/md.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Dodge-MPTC/CVE-2023-35793-CSRF-On-Web-SSH"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.cassianetworks.com/products/iot-access-controller/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://blog.kscsc.online/cves/202335793/md.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Dodge-MPTC/CVE-2023-35793-CSRF-On-Web-SSH"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.cassianetworks.com/products/iot-access-controller/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-31445
Vulnerability from fkie_nvd - Published: 2023-05-11 12:15 - Updated: 2024-11-21 08:01
Severity ?
Summary
Cassia Access controller before 2.1.1.2203171453, was discovered to have a unprivileged -information disclosure vulnerability that allows read-only users have the ability to enumerate all other users and discover e-mail addresses, phone numbers, and privileges of all other users.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cassianetworks | access_controller | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cassianetworks:access_controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF4057AF-E991-446C-B846-AEEFF197216B",
"versionEndExcluding": "2.1.1.2203171453",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cassia Access controller before 2.1.1.2203171453, was discovered to have a unprivileged -information disclosure vulnerability that allows read-only users have the ability to enumerate all other users and discover e-mail addresses, phone numbers, and privileges of all other users."
}
],
"id": "CVE-2023-31445",
"lastModified": "2024-11-21T08:01:52.663",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-11T12:15:09.450",
"references": [
{
"source": "cve@mitre.org",
"url": "https://blog.kscsc.online/cves/202331445/md.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Dodge-MPTC/CVE-2023-31445-Unprivileged-Information-Disclosure"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.cassianetworks.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://blog.kscsc.online/cves/202331445/md.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Dodge-MPTC/CVE-2023-31445-Unprivileged-Information-Disclosure"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.cassianetworks.com"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-22685
Vulnerability from fkie_nvd - Published: 2022-10-14 17:15 - Updated: 2024-11-21 05:50
Severity ?
6.2 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
An attacker may be able to use minify route with a relative path to view any file on the Cassia Networks Access Controller prior to 2.0.1.
References
| URL | Tags | ||
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://www.cassianetworks.com/support/knowledge-base/ | Vendor Advisory | |
| ics-cert@hq.dhs.gov | https://www.cisa.gov/uscert/ics/advisories/icsa-21-119-02 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.cassianetworks.com/support/knowledge-base/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.cisa.gov/uscert/ics/advisories/icsa-21-119-02 | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cassianetworks | access_controller | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cassianetworks:access_controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0A3360C3-90D1-4B4B-AC80-7C5F3D864ED2",
"versionEndExcluding": "2.0.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An attacker may be able to use minify route with a relative path to view any file on the Cassia Networks Access Controller prior to 2.0.1."
},
{
"lang": "es",
"value": "Un atacante puede ser capaz de usar minify route con una ruta relativa para visualizar cualquier archivo en Cassia Networks Access Controller versiones anteriores a 2.0.1"
}
],
"id": "CVE-2021-22685",
"lastModified": "2024-11-21T05:50:28.590",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.5,
"impactScore": 3.6,
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-14T17:15:10.390",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Vendor Advisory"
],
"url": "https://www.cassianetworks.com/support/knowledge-base/"
},
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-119-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.cassianetworks.com/support/knowledge-base/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-119-02"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2023-35794 (GCVE-0-2023-35794)
Vulnerability from cvelistv5 – Published: 2023-10-27 00:00 – Updated: 2024-08-02 16:30
VLAI?
Summary
An issue was discovered in Cassia Access Controller 2.1.1.2303271039. The Web SSH terminal endpoint (spawned console) can be accessed without authentication. Specifically, there is no session cookie validation on the Access Controller; instead, there is only Basic Authentication to the SSH console.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:30:45.336Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cassianetworks.com/products/iot-access-controller/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Dodge-MPTC/CVE-2023-35794-WebSSH-Hijacking"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.kscsc.online/cves/202335794/md.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Cassia Access Controller 2.1.1.2303271039. The Web SSH terminal endpoint (spawned console) can be accessed without authentication. Specifically, there is no session cookie validation on the Access Controller; instead, there is only Basic Authentication to the SSH console."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-29T20:29:01.733811",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.cassianetworks.com/products/iot-access-controller/"
},
{
"url": "https://github.com/Dodge-MPTC/CVE-2023-35794-WebSSH-Hijacking"
},
{
"url": "https://blog.kscsc.online/cves/202335794/md.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-35794",
"datePublished": "2023-10-27T00:00:00",
"dateReserved": "2023-06-16T00:00:00",
"dateUpdated": "2024-08-02T16:30:45.336Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-35793 (GCVE-0-2023-35793)
Vulnerability from cvelistv5 – Published: 2023-09-26 00:00 – Updated: 2024-08-02 16:30
VLAI?
Summary
An issue was discovered in Cassia Access Controller 2.1.1.2303271039. Establishing a web SSH session to gateways is vulnerable to Cross Site Request Forgery (CSRF) attacks.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:30:45.373Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cassianetworks.com/products/iot-access-controller/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Dodge-MPTC/CVE-2023-35793-CSRF-On-Web-SSH"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.kscsc.online/cves/202335793/md.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Cassia Access Controller 2.1.1.2303271039. Establishing a web SSH session to gateways is vulnerable to Cross Site Request Forgery (CSRF) attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-29T20:35:15.767100",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.cassianetworks.com/products/iot-access-controller/"
},
{
"url": "https://github.com/Dodge-MPTC/CVE-2023-35793-CSRF-On-Web-SSH"
},
{
"url": "https://blog.kscsc.online/cves/202335793/md.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-35793",
"datePublished": "2023-09-26T00:00:00",
"dateReserved": "2023-06-16T00:00:00",
"dateUpdated": "2024-08-02T16:30:45.373Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-31445 (GCVE-0-2023-31445)
Vulnerability from cvelistv5 – Published: 2023-05-11 00:00 – Updated: 2024-08-02 14:53
VLAI?
Summary
Cassia Access controller before 2.1.1.2203171453, was discovered to have a unprivileged -information disclosure vulnerability that allows read-only users have the ability to enumerate all other users and discover e-mail addresses, phone numbers, and privileges of all other users.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:53:30.745Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cassianetworks.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Dodge-MPTC/CVE-2023-31445-Unprivileged-Information-Disclosure"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.kscsc.online/cves/202331445/md.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cassia Access controller before 2.1.1.2203171453, was discovered to have a unprivileged -information disclosure vulnerability that allows read-only users have the ability to enumerate all other users and discover e-mail addresses, phone numbers, and privileges of all other users."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-29T20:51:37.903717",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.cassianetworks.com"
},
{
"url": "https://github.com/Dodge-MPTC/CVE-2023-31445-Unprivileged-Information-Disclosure"
},
{
"url": "https://blog.kscsc.online/cves/202331445/md.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-31445",
"datePublished": "2023-05-11T00:00:00",
"dateReserved": "2023-04-28T00:00:00",
"dateUpdated": "2024-08-02T14:53:30.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-22685 (GCVE-0-2021-22685)
Vulnerability from cvelistv5 – Published: 2022-10-14 00:00 – Updated: 2025-04-16 16:09
VLAI?
Title
Cassia Networks Access Controller Path Traversal
Summary
An attacker may be able to use minify route with a relative path to view any file on the Cassia Networks Access Controller prior to 2.0.1.
Severity ?
6.2 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cassia Networks | Access Controller |
Affected:
unspecified , < 2.0.1
(custom)
|
Credits
Amir Preminger and Sharon Brizinov of Claroty reported this vulnerability to CISA.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:51:07.052Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-119-02"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.cassianetworks.com/support/knowledge-base/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-22685",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T15:49:43.157310Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T16:09:02.170Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Access Controller",
"vendor": "Cassia Networks",
"versions": [
{
"lessThan": "2.0.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Amir Preminger and Sharon Brizinov of Claroty reported this vulnerability to CISA."
}
],
"descriptions": [
{
"lang": "en",
"value": "An attacker may be able to use minify route with a relative path to view any file on the Cassia Networks Access Controller prior to 2.0.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-14T00:00:00.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-119-02"
},
{
"url": "https://www.cassianetworks.com/support/knowledge-base/"
}
],
"solutions": [
{
"lang": "en",
"value": "Cassia Networks has released a patch (https://www.cassianetworks.com/support/knowledge-base/) that mitigates the reported vulnerability."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cassia Networks Access Controller Path Traversal",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2021-22685",
"datePublished": "2022-10-14T00:00:00.000Z",
"dateReserved": "2021-01-05T00:00:00.000Z",
"dateUpdated": "2025-04-16T16:09:02.170Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-35794 (GCVE-0-2023-35794)
Vulnerability from nvd – Published: 2023-10-27 00:00 – Updated: 2024-08-02 16:30
VLAI?
Summary
An issue was discovered in Cassia Access Controller 2.1.1.2303271039. The Web SSH terminal endpoint (spawned console) can be accessed without authentication. Specifically, there is no session cookie validation on the Access Controller; instead, there is only Basic Authentication to the SSH console.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:30:45.336Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cassianetworks.com/products/iot-access-controller/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Dodge-MPTC/CVE-2023-35794-WebSSH-Hijacking"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.kscsc.online/cves/202335794/md.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Cassia Access Controller 2.1.1.2303271039. The Web SSH terminal endpoint (spawned console) can be accessed without authentication. Specifically, there is no session cookie validation on the Access Controller; instead, there is only Basic Authentication to the SSH console."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-29T20:29:01.733811",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.cassianetworks.com/products/iot-access-controller/"
},
{
"url": "https://github.com/Dodge-MPTC/CVE-2023-35794-WebSSH-Hijacking"
},
{
"url": "https://blog.kscsc.online/cves/202335794/md.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-35794",
"datePublished": "2023-10-27T00:00:00",
"dateReserved": "2023-06-16T00:00:00",
"dateUpdated": "2024-08-02T16:30:45.336Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-35793 (GCVE-0-2023-35793)
Vulnerability from nvd – Published: 2023-09-26 00:00 – Updated: 2024-08-02 16:30
VLAI?
Summary
An issue was discovered in Cassia Access Controller 2.1.1.2303271039. Establishing a web SSH session to gateways is vulnerable to Cross Site Request Forgery (CSRF) attacks.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:30:45.373Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cassianetworks.com/products/iot-access-controller/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Dodge-MPTC/CVE-2023-35793-CSRF-On-Web-SSH"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.kscsc.online/cves/202335793/md.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Cassia Access Controller 2.1.1.2303271039. Establishing a web SSH session to gateways is vulnerable to Cross Site Request Forgery (CSRF) attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-29T20:35:15.767100",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.cassianetworks.com/products/iot-access-controller/"
},
{
"url": "https://github.com/Dodge-MPTC/CVE-2023-35793-CSRF-On-Web-SSH"
},
{
"url": "https://blog.kscsc.online/cves/202335793/md.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-35793",
"datePublished": "2023-09-26T00:00:00",
"dateReserved": "2023-06-16T00:00:00",
"dateUpdated": "2024-08-02T16:30:45.373Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-31445 (GCVE-0-2023-31445)
Vulnerability from nvd – Published: 2023-05-11 00:00 – Updated: 2024-08-02 14:53
VLAI?
Summary
Cassia Access controller before 2.1.1.2203171453, was discovered to have a unprivileged -information disclosure vulnerability that allows read-only users have the ability to enumerate all other users and discover e-mail addresses, phone numbers, and privileges of all other users.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:53:30.745Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cassianetworks.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Dodge-MPTC/CVE-2023-31445-Unprivileged-Information-Disclosure"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.kscsc.online/cves/202331445/md.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cassia Access controller before 2.1.1.2203171453, was discovered to have a unprivileged -information disclosure vulnerability that allows read-only users have the ability to enumerate all other users and discover e-mail addresses, phone numbers, and privileges of all other users."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-29T20:51:37.903717",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.cassianetworks.com"
},
{
"url": "https://github.com/Dodge-MPTC/CVE-2023-31445-Unprivileged-Information-Disclosure"
},
{
"url": "https://blog.kscsc.online/cves/202331445/md.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-31445",
"datePublished": "2023-05-11T00:00:00",
"dateReserved": "2023-04-28T00:00:00",
"dateUpdated": "2024-08-02T14:53:30.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-22685 (GCVE-0-2021-22685)
Vulnerability from nvd – Published: 2022-10-14 00:00 – Updated: 2025-04-16 16:09
VLAI?
Title
Cassia Networks Access Controller Path Traversal
Summary
An attacker may be able to use minify route with a relative path to view any file on the Cassia Networks Access Controller prior to 2.0.1.
Severity ?
6.2 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cassia Networks | Access Controller |
Affected:
unspecified , < 2.0.1
(custom)
|
Credits
Amir Preminger and Sharon Brizinov of Claroty reported this vulnerability to CISA.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:51:07.052Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-119-02"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.cassianetworks.com/support/knowledge-base/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-22685",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T15:49:43.157310Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T16:09:02.170Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Access Controller",
"vendor": "Cassia Networks",
"versions": [
{
"lessThan": "2.0.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Amir Preminger and Sharon Brizinov of Claroty reported this vulnerability to CISA."
}
],
"descriptions": [
{
"lang": "en",
"value": "An attacker may be able to use minify route with a relative path to view any file on the Cassia Networks Access Controller prior to 2.0.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-14T00:00:00.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-119-02"
},
{
"url": "https://www.cassianetworks.com/support/knowledge-base/"
}
],
"solutions": [
{
"lang": "en",
"value": "Cassia Networks has released a patch (https://www.cassianetworks.com/support/knowledge-base/) that mitigates the reported vulnerability."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cassia Networks Access Controller Path Traversal",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2021-22685",
"datePublished": "2022-10-14T00:00:00.000Z",
"dateReserved": "2021-01-05T00:00:00.000Z",
"dateUpdated": "2025-04-16T16:09:02.170Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}