CVE-2023-2141 (GCVE-0-2023-2141)
Vulnerability from cvelistv5 – Published: 2023-04-21 15:48 – Updated: 2025-02-04 20:26
VLAI
Title
Unsafe .NET object deserialization affecting DELMIA Apriso Release 2017 through Release 2022
Summary
An unsafe .NET object deserialization in DELMIA Apriso Release 2017 through Release 2022 could lead to post-authentication remote code execution.
Severity
8.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Dassault Systèmes | DELMIA Apriso |
Affected:
Apriso 2017 Golden , ≤ Apriso 2017 SP7
(custom)
Affected: Apriso 2018 Golden , ≤ Apriso 2018 SP4 (custom) Affected: Apriso 2019 Golden , ≤ Apriso 2019 SP5 (custom) Affected: Apriso 2020 Golden , ≤ Apriso 2020 SP4 (custom) Affected: Apriso 2021 Golden , ≤ Apriso 2021 SP2 (custom) Affected: Apriso 2022 Golden |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:12:20.488Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.3ds.com/vulnerability/advisories"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2141",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T20:26:47.042599Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-04T20:26:49.843Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "DELMIA Apriso",
"vendor": "Dassault Syst\u00e8mes",
"versions": [
{
"lessThanOrEqual": "Apriso 2017 SP7",
"status": "affected",
"version": "Apriso 2017 Golden",
"versionType": "custom"
},
{
"lessThanOrEqual": "Apriso 2018 SP4",
"status": "affected",
"version": "Apriso 2018 Golden",
"versionType": "custom"
},
{
"lessThanOrEqual": "Apriso 2019 SP5",
"status": "affected",
"version": "Apriso 2019 Golden",
"versionType": "custom"
},
{
"lessThanOrEqual": "Apriso 2020 SP4",
"status": "affected",
"version": "Apriso 2020 Golden",
"versionType": "custom"
},
{
"lessThanOrEqual": "Apriso 2021 SP2",
"status": "affected",
"version": "Apriso 2021 Golden",
"versionType": "custom"
},
{
"status": "affected",
"version": "Apriso 2022 Golden"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Mehdi Elyassa and Vincent Herbulot from Synacktiv"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An unsafe .NET object deserialization in DELMIA Apriso Release 2017 through Release 2022 could lead to post-authentication remote code execution.\u003cbr\u003e"
}
],
"value": "An unsafe .NET object deserialization in DELMIA Apriso Release 2017 through Release 2022 could lead to post-authentication remote code execution.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-21T15:48:39.800Z",
"orgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433",
"shortName": "3DS"
},
"references": [
{
"url": "https://www.3ds.com/vulnerability/advisories"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unsafe .NET object deserialization affecting DELMIA Apriso Release 2017 through Release 2022 ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f5a594e6-46a7-4e60-8a08-0a786e70e433",
"assignerShortName": "3DS",
"cveId": "CVE-2023-2141",
"datePublished": "2023-04-21T15:48:39.800Z",
"dateReserved": "2023-04-18T07:52:31.574Z",
"dateUpdated": "2025-02-04T20:26:49.843Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2023-2141",
"date": "2026-06-07",
"epss": "0.02905",
"percentile": "0.86643"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:3ds:delmia_apriso:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2017\", \"versionEndIncluding\": \"2022\", \"matchCriteriaId\": \"C52EE2E6-9E32-4D89-B848-E187676E92B3\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"An unsafe .NET object deserialization in DELMIA Apriso Release 2017 through Release 2022 could lead to post-authentication remote code execution.\\n\"}]",
"id": "CVE-2023-2141",
"lastModified": "2024-11-21T07:58:00.923",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"3DS.Information-Security@3ds.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"baseScore\": 8.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 6.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}]}",
"published": "2023-04-21T16:15:07.443",
"references": "[{\"url\": \"https://www.3ds.com/vulnerability/advisories\", \"source\": \"3DS.Information-Security@3ds.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.3ds.com/vulnerability/advisories\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "3DS.Information-Security@3ds.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"3DS.Information-Security@3ds.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-502\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-502\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-2141\",\"sourceIdentifier\":\"3DS.Information-Security@3ds.com\",\"published\":\"2023-04-21T16:15:07.443\",\"lastModified\":\"2024-11-21T07:58:00.923\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An unsafe .NET object deserialization in DELMIA Apriso Release 2017 through Release 2022 could lead to post-authentication remote code execution.\\n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"3DS.Information-Security@3ds.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"3DS.Information-Security@3ds.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:3ds:delmia_apriso:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2017\",\"versionEndIncluding\":\"2022\",\"matchCriteriaId\":\"C52EE2E6-9E32-4D89-B848-E187676E92B3\"}]}]}],\"references\":[{\"url\":\"https://www.3ds.com/vulnerability/advisories\",\"source\":\"3DS.Information-Security@3ds.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.3ds.com/vulnerability/advisories\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.3ds.com/vulnerability/advisories\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T06:12:20.488Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-2141\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-04T20:26:47.042599Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-04T19:58:38.447Z\"}}], \"cna\": {\"title\": \"Unsafe .NET object deserialization affecting DELMIA Apriso Release 2017 through Release 2022 \", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"Mehdi Elyassa and Vincent Herbulot from Synacktiv\"}], \"impacts\": [{\"capecId\": \"CAPEC-586\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-586 Object Injection\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Dassault Syst\\u00e8mes\", \"product\": \"DELMIA Apriso\", \"versions\": [{\"status\": \"affected\", \"version\": \"Apriso 2017 Golden\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"Apriso 2017 SP7\"}, {\"status\": \"affected\", \"version\": \"Apriso 2018 Golden\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"Apriso 2018 SP4\"}, {\"status\": \"affected\", \"version\": \"Apriso 2019 Golden\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"Apriso 2019 SP5\"}, {\"status\": \"affected\", \"version\": \"Apriso 2020 Golden\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"Apriso 2020 SP4\"}, {\"status\": \"affected\", \"version\": \"Apriso 2021 Golden\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"Apriso 2021 SP2\"}, {\"status\": \"affected\", \"version\": \"Apriso 2022 Golden\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.3ds.com/vulnerability/advisories\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An unsafe .NET object deserialization in DELMIA Apriso Release 2017 through Release 2022 could lead to post-authentication remote code execution.\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"An unsafe .NET object deserialization in DELMIA Apriso Release 2017 through Release 2022 could lead to post-authentication remote code execution.\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502 Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"f5a594e6-46a7-4e60-8a08-0a786e70e433\", \"shortName\": \"3DS\", \"dateUpdated\": \"2023-04-21T15:48:39.800Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-2141\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-04T20:26:49.843Z\", \"dateReserved\": \"2023-04-18T07:52:31.574Z\", \"assignerOrgId\": \"f5a594e6-46a7-4e60-8a08-0a786e70e433\", \"datePublished\": \"2023-04-21T15:48:39.800Z\", \"assignerShortName\": \"3DS\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…