cvelistv5 - CVE-2023-5391

CVE-2023-5391 (GCVE-0-2023-5391)

Vulnerability from cvelistv5 – Published: 2023-10-04 18:13 – Updated: 2025-02-27 20:46

Summary

A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to execute arbitrary code on the targeted system by sending a specifically crafted packet to the application.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

schneider

References

URL

Tags

https://download.schneider-electric.com/files?p_D…

Impacted products

Vendor

Product

Version

Schneider Electric

EcoStruxure Power Monitoring Expert

Affected: All versions – prior to application of Hotfix-145271

	Schneider Electric	EcoStruxure Power Operation (EPO) with Advanced Reports	Affected: All versions – prior to application of Hotfix-145271
	Schneider Electric	EcoStruxure Power SCADA Operation with Advanced Reports	Affected: All versions – prior to application of Hotfix-145271

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:59:44.528Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-283-02.pdf"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-5391",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-26T21:50:43.582116Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T20:46:31.823Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "EcoStruxure Power Monitoring Expert",
          "vendor": "Schneider Electric",
          "versions": [
            {
              "status": "affected",
              "version": "All versions \u2013 prior to application of Hotfix-145271"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "EcoStruxure Power Operation (EPO) with Advanced Reports",
          "vendor": "Schneider Electric",
          "versions": [
            {
              "status": "affected",
              "version": "All versions \u2013 prior to application of Hotfix-145271"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "EcoStruxure Power SCADA Operation with Advanced Reports",
          "vendor": "Schneider Electric",
          "versions": [
            {
              "status": "affected",
              "version": "All versions \u2013 prior to application of Hotfix-145271"
            }
          ]
        }
      ],
      "datePublic": "2023-10-10T17:55:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\n\n\nA CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to\nexecute arbitrary code on the targeted system by sending a specifically crafted packet to the\napplication.\n\n\n\n\u003cbr\u003e"
            }
          ],
          "value": "\n\n\nA CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to\nexecute arbitrary code on the targeted system by sending a specifically crafted packet to the\napplication.\n\n\n\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-11T08:25:11.967Z",
        "orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
        "shortName": "schneider"
      },
      "references": [
        {
          "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-283-02.pdf"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
    "assignerShortName": "schneider",
    "cveId": "CVE-2023-5391",
    "datePublished": "2023-10-04T18:13:00.746Z",
    "dateReserved": "2023-10-04T17:50:08.965Z",
    "dateUpdated": "2025-02-27T20:46:31.823Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:schneider-electric:ecostruxure_power_monitoring_expert:*:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B682ECD9-985F-4906-B936-DD388165063A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:schneider-electric:ecostruxure_power_operation_with_advanced_reports:*:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8A9E16D1-278E-4E0B-A604-13096B7A9029\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:schneider-electric:ecostruxure_power_scada_operation_with_advanced_reports:*:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DC4A71CF-78EA-43F9-B7BA-9ED3C7816173\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"\\n\\n\\nA CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to\\nexecute arbitrary code on the targeted system by sending a specifically crafted packet to the\\napplication.\\n\\n\\n\\n\\n\"}, {\"lang\": \"es\", \"value\": \"CWE-502: Existe una vulnerabilidad deserializaci\\u00f3n de datos no confiables que podr\\u00eda permitir a un atacante ejecutar c\\u00f3digo arbitrario en el sistema objetivo enviando un paquete espec\\u00edficamente manipulado a la aplicaci\\u00f3n.\"}]",
      "id": "CVE-2023-5391",
      "lastModified": "2024-11-21T08:41:40.707",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"cybersecurity@se.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
      "published": "2023-10-04T19:15:10.777",
      "references": "[{\"url\": \"https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-283-02.pdf\", \"source\": \"cybersecurity@se.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-283-02.pdf\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "cybersecurity@se.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"cybersecurity@se.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-502\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-5391\",\"sourceIdentifier\":\"cybersecurity@se.com\",\"published\":\"2023-10-04T19:15:10.777\",\"lastModified\":\"2024-11-21T08:41:40.707\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"\\n\\n\\nA CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to\\nexecute arbitrary code on the targeted system by sending a specifically crafted packet to the\\napplication.\\n\\n\\n\\n\\n\"},{\"lang\":\"es\",\"value\":\"CWE-502: Existe una vulnerabilidad deserializaci\u00f3n de datos no confiables que podr\u00eda permitir a un atacante ejecutar c\u00f3digo arbitrario en el sistema objetivo enviando un paquete espec\u00edficamente manipulado a la aplicaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cybersecurity@se.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"cybersecurity@se.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:schneider-electric:ecostruxure_power_monitoring_expert:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B682ECD9-985F-4906-B936-DD388165063A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:schneider-electric:ecostruxure_power_operation_with_advanced_reports:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8A9E16D1-278E-4E0B-A604-13096B7A9029\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:schneider-electric:ecostruxure_power_scada_operation_with_advanced_reports:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DC4A71CF-78EA-43F9-B7BA-9ED3C7816173\"}]}]}],\"references\":[{\"url\":\"https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-283-02.pdf\",\"source\":\"cybersecurity@se.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-283-02.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"affected\": [{\"defaultStatus\": \"unaffected\", \"product\": \"EcoStruxure Power Monitoring Expert\", \"vendor\": \"Schneider Electric\", \"versions\": [{\"status\": \"affected\", \"version\": \"All versions \\u2013 prior to application of Hotfix-145271\"}]}, {\"defaultStatus\": \"unaffected\", \"product\": \"EcoStruxure Power Operation (EPO) with Advanced Reports\", \"vendor\": \"Schneider Electric\", \"versions\": [{\"status\": \"affected\", \"version\": \"All versions \\u2013 prior to application of Hotfix-145271\"}]}, {\"defaultStatus\": \"unaffected\", \"product\": \"EcoStruxure Power SCADA Operation with Advanced Reports\", \"vendor\": \"Schneider Electric\", \"versions\": [{\"status\": \"affected\", \"version\": \"All versions \\u2013 prior to application of Hotfix-145271\"}]}], \"datePublic\": \"2023-10-10T17:55:00.000Z\", \"descriptions\": [{\"lang\": \"en\", \"supportingMedia\": [{\"base64\": false, \"type\": \"text/html\", \"value\": \"\\n\\n\\n\\nA CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to\\nexecute arbitrary code on the targeted system by sending a specifically crafted packet to the\\napplication.\\n\\n\\n\\n\u003cbr\u003e\"}], \"value\": \"\\n\\n\\nA CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to\\nexecute arbitrary code on the targeted system by sending a specifically crafted packet to the\\napplication.\\n\\n\\n\\n\\n\"}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"version\": \"3.1\"}, \"format\": \"CVSS\", \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-502\", \"description\": \"CWE-502 Deserialization of Untrusted Data\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"providerMetadata\": {\"orgId\": \"076d1eb6-cfab-4401-b34d-6dfc2a413bdb\", \"shortName\": \"schneider\", \"dateUpdated\": \"2023-10-11T08:25:11.967Z\"}, \"references\": [{\"url\": \"https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-283-02.pdf\"}], \"source\": {\"discovery\": \"UNKNOWN\"}, \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T07:59:44.528Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-283-02.pdf\", \"tags\": [\"x_transferred\"]}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-5391\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-26T21:50:43.582116Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-26T20:35:33.544Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-5391\", \"assignerOrgId\": \"076d1eb6-cfab-4401-b34d-6dfc2a413bdb\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"schneider\", \"dateReserved\": \"2023-10-04T17:50:08.965Z\", \"datePublished\": \"2023-10-04T18:13:00.746Z\", \"dateUpdated\": \"2025-02-27T20:46:31.823Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-W228-FRCG-5X99

Vulnerability from github – Published: 2023-10-04 21:30 – Updated: 2024-02-01 03:30

Details

A?CWE-502:?Deserialization of untrusted data?vulnerability exists?that could allow an attacker to execute arbitrary code on the targeted system by sending a specifically crafted packet to the application.

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-5391"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-04T19:15:10Z",
    "severity": "CRITICAL"
  },
  "details": "\nA?CWE-502:?Deserialization of untrusted data?vulnerability exists?that could allow an attacker to execute arbitrary code on the targeted system by sending a specifically crafted packet to the application.\u00a0\n\n\n",
  "id": "GHSA-w228-frcg-5x99",
  "modified": "2024-02-01T03:30:22Z",
  "published": "2023-10-04T21:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5391"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-283-02.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2023-5391

Vulnerability from fkie_nvd - Published: 2023-10-04 19:15 - Updated: 2024-11-21 08:41

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	cybersecurity@se.com	https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-283-02.pdf	Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-283-02.pdf	Vendor Advisory

Impacted products

Vendor	Product	Version
schneider-electric	ecostruxure_power_monitoring_expert	*
schneider-electric	ecostruxure_power_operation_with_advanced_reports	*
schneider-electric	ecostruxure_power_scada_operation_with_advanced_reports	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:schneider-electric:ecostruxure_power_monitoring_expert:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B682ECD9-985F-4906-B936-DD388165063A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:schneider-electric:ecostruxure_power_operation_with_advanced_reports:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8A9E16D1-278E-4E0B-A604-13096B7A9029",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:schneider-electric:ecostruxure_power_scada_operation_with_advanced_reports:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC4A71CF-78EA-43F9-B7BA-9ED3C7816173",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "\n\n\nA CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to\nexecute arbitrary code on the targeted system by sending a specifically crafted packet to the\napplication.\n\n\n\n\n"
    },
    {
      "lang": "es",
      "value": "CWE-502: Existe una vulnerabilidad deserializaci\u00f3n de datos no confiables que podr\u00eda permitir a un atacante ejecutar c\u00f3digo arbitrario en el sistema objetivo enviando un paquete espec\u00edficamente manipulado a la aplicaci\u00f3n."
    }
  ],
  "id": "CVE-2023-5391",
  "lastModified": "2024-11-21T08:41:40.707",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "cybersecurity@se.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-10-04T19:15:10.777",
  "references": [
    {
      "source": "cybersecurity@se.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-283-02.pdf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-283-02.pdf"
    }
  ],
  "sourceIdentifier": "cybersecurity@se.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "cybersecurity@se.com",
      "type": "Primary"
    }
  ]
}

CERTFR-2023-AVI-0818

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits Schneider. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Schneider Electric	N/A	Schneider Electric EcoStruxure Power SCADA Operation with Advanced Reports toutes versions sans le correctif de sécurité Hotfix-145271 Hotfix-145271
Schneider Electric	N/A	Schneider Electric EcoStruxure Power Operation (EPO) with Advanced Reports toutes versions sans le correctif de sécurité Hotfix-145271 Hotfix-145271
Schneider Electric	N/A	Schneider Electric EcoStruxure Power Monitoring Expert (PME) toutes versions sans le correctif de sécurité Hotfix-145271 Hotfix-145271
Schneider Electric	N/A	Schneider Electric SpaceLogic C-Bus Toolkit versions antérieures à 1.16.4

References

Title

Publication Time

Tags

Bulletin de sécurité Schneider SEVD-2023-283-02 du 10 octobre 2023	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2023-283-01 du 10 octobre 2023	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Schneider Electric EcoStruxure Power SCADA Operation with Advanced Reports toutes versions sans le correctif de s\u00e9curit\u00e9 Hotfix-145271 Hotfix-145271",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Schneider Electric EcoStruxure Power Operation (EPO) with Advanced Reports toutes versions sans le correctif de s\u00e9curit\u00e9 Hotfix-145271 Hotfix-145271",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Schneider Electric EcoStruxure Power Monitoring Expert (PME) toutes versions sans le correctif de s\u00e9curit\u00e9 Hotfix-145271 Hotfix-145271",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Schneider Electric SpaceLogic C-Bus Toolkit versions ant\u00e9rieures \u00e0 1.16.4",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-5399",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-5399"
    },
    {
      "name": "CVE-2023-5391",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-5391"
    },
    {
      "name": "CVE-2023-5402",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-5402"
    }
  ],
  "links": [],
  "reference": "CERTFR-2023-AVI-0818",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-10-11T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eles produits Schneider\u003c/span\u003e. Elles permettent \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Schneider",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2023-283-02 du 10 octobre 2023",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-283-02.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2023-283-01 du 10 octobre 2023",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-283-01.pdf"
    }
  ]
}

CERTFR-2023-AVI-0818

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits Schneider. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Schneider Electric	N/A	Schneider Electric EcoStruxure Power SCADA Operation with Advanced Reports toutes versions sans le correctif de sécurité Hotfix-145271 Hotfix-145271
Schneider Electric	N/A	Schneider Electric EcoStruxure Power Operation (EPO) with Advanced Reports toutes versions sans le correctif de sécurité Hotfix-145271 Hotfix-145271
Schneider Electric	N/A	Schneider Electric EcoStruxure Power Monitoring Expert (PME) toutes versions sans le correctif de sécurité Hotfix-145271 Hotfix-145271
Schneider Electric	N/A	Schneider Electric SpaceLogic C-Bus Toolkit versions antérieures à 1.16.4

References

Title

Publication Time

Tags

Bulletin de sécurité Schneider SEVD-2023-283-02 du 10 octobre 2023	None	vendor-advisory
Bulletin de sécurité Schneider SEVD-2023-283-01 du 10 octobre 2023	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Schneider Electric EcoStruxure Power SCADA Operation with Advanced Reports toutes versions sans le correctif de s\u00e9curit\u00e9 Hotfix-145271 Hotfix-145271",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Schneider Electric EcoStruxure Power Operation (EPO) with Advanced Reports toutes versions sans le correctif de s\u00e9curit\u00e9 Hotfix-145271 Hotfix-145271",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Schneider Electric EcoStruxure Power Monitoring Expert (PME) toutes versions sans le correctif de s\u00e9curit\u00e9 Hotfix-145271 Hotfix-145271",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    },
    {
      "description": "Schneider Electric SpaceLogic C-Bus Toolkit versions ant\u00e9rieures \u00e0 1.16.4",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Schneider Electric",
          "scada": true
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-5399",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-5399"
    },
    {
      "name": "CVE-2023-5391",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-5391"
    },
    {
      "name": "CVE-2023-5402",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-5402"
    }
  ],
  "links": [],
  "reference": "CERTFR-2023-AVI-0818",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-10-11T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eles produits Schneider\u003c/span\u003e. Elles permettent \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Schneider",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2023-283-02 du 10 octobre 2023",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-283-02.pdf"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Schneider SEVD-2023-283-01 du 10 octobre 2023",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-283-01.pdf"
    }
  ]
}

ICSA-23-290-01

Vulnerability from csaf_cisa - Published: 2023-10-17 06:00 - Updated: 2023-10-17 06:00

Summary

Schneider Electric EcoStruxure Power Monitoring Expert and Power Operation Products

Notes

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Risk evaluation

Successful exploitation of this vulnerability could allow an attacker to achieve remote code execution.

Critical infrastructure sectors

Multiple

Countries/areas deployed

Worldwide

Company headquarters location

France

Recommended Practices

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Recommended Practices

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Recommended Practices

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

Recommended Practices

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Sina Kheirkhah (@SinSinology)"
        ],
        "organization": "Summoning Team (@SummoningTeam)",
        "summary": "reporting this vulnerability to Schneider Electric"
      },
      {
        "organization": "Trend Micro Zero Day Initiative",
        "summary": "reporting this vulnerability to Schneider Electric"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of this vulnerability could allow an attacker to achieve remote code execution.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Multiple",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "France",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.",
        "title": "Recommended Practices"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "central@cisa.dhs.gov",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-23-290-01 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2023/icsa-23-290-01.json"
      },
      {
        "category": "self",
        "summary": "ICSA Advisory ICSA-23-290-01 - Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-290-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/topics/industrial-control-systems"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
      }
    ],
    "title": "Schneider Electric EcoStruxure Power Monitoring Expert and Power Operation Products",
    "tracking": {
      "current_release_date": "2023-10-17T06:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-23-290-01",
      "initial_release_date": "2023-10-17T06:00:00.000000Z",
      "revision_history": [
        {
          "date": "2023-10-17T06:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "Initial Publication"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cHotfix-145271",
                "product": {
                  "name": "EcoStruxure Power Monitoring Expert: \u003cHotfix-145271",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "EcoStruxure Power Monitoring Expert"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cHotfix-145271",
                "product": {
                  "name": "EcoStruxure Power Operation with Advanced Reports: \u003cHotfix-145271",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "EcoStruxure Power Operation with Advanced Reports"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cHotfix-145271",
                "product": {
                  "name": "EcoStruxure Power SCADA Operation with Advanced Reports: \u003cHotfix-145271",
                  "product_id": "CSAFPID-0003"
                }
              }
            ],
            "category": "product_name",
            "name": "EcoStruxure Power SCADA Operation with Advanced Reports"
          }
        ],
        "category": "vendor",
        "name": "Schneider Electric "
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-5391",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "notes": [
        {
          "category": "summary",
          "text": "A deserialization of untrusted data vulnerability exists that could allow an attacker to execute arbitrary code on the targeted system by sending a specifically crafted packet to the application.",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-5391"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Schneider Electric has released the following mitigations/fixes for the following products:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Schneider Electric also recommends the following cybersecurity best practices:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Place all controllers in locked cabinets and never leave them in the \"Program\" mode.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Never connect programming software to any network other than the network intended for that device.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ],
          "url": "https://www.se.com/us/en/download/document/7EN52-0390/"
        },
        {
          "category": "mitigation",
          "details": "For further information, see Schnieder Electric\u0027s Security Advisory.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ],
          "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-283-02.pdf"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        }
      ]
    }
  ]
}

GSD-2023-5391

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-5391

Aliases

CVE-2023-5391

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-5391",
    "id": "GSD-2023-5391"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-5391"
      ],
      "details": "\n\n\nA CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to\nexecute arbitrary code on the targeted system by sending a specifically crafted packet to the\napplication.\n\n\n\n\n",
      "id": "GSD-2023-5391",
      "modified": "2023-12-13T01:20:50.651407Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cybersecurity@schneider-electric.com",
        "ID": "CVE-2023-5391",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "EcoStruxure Power Monitoring Expert",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "All versions \u2013 prior to application of Hotfix-145271"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "EcoStruxure Power Operation (EPO) with Advanced Reports",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "All versions \u2013 prior to application of Hotfix-145271"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "EcoStruxure Power SCADA Operation with Advanced Reports",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "All versions \u2013 prior to application of Hotfix-145271"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Schneider Electric"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "\n\n\nA CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to\nexecute arbitrary code on the targeted system by sending a specifically crafted packet to the\napplication.\n\n\n\n\n"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-502",
                "lang": "eng",
                "value": "CWE-502 Deserialization of Untrusted Data"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-283-02.pdf",
            "refsource": "MISC",
            "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-283-02.pdf"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:schneider-electric:ecostruxure_power_monitoring_expert:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "B682ECD9-985F-4906-B936-DD388165063A",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:schneider-electric:ecostruxure_power_operation_with_advanced_reports:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "8A9E16D1-278E-4E0B-A604-13096B7A9029",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:schneider-electric:ecostruxure_power_scada_operation_with_advanced_reports:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "DC4A71CF-78EA-43F9-B7BA-9ED3C7816173",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "\n\n\nA CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to\nexecute arbitrary code on the targeted system by sending a specifically crafted packet to the\napplication.\n\n\n\n\n"
          },
          {
            "lang": "es",
            "value": "CWE-502: Existe una vulnerabilidad deserializaci\u00f3n de datos no confiables que podr\u00eda permitir a un atacante ejecutar c\u00f3digo arbitrario en el sistema objetivo enviando un paquete espec\u00edficamente manipulado a la aplicaci\u00f3n."
          }
        ],
        "id": "CVE-2023-5391",
        "lastModified": "2024-02-01T00:49:46.897",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 5.9,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 5.9,
              "source": "cybersecurity@se.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2023-10-04T19:15:10.777",
        "references": [
          {
            "source": "cybersecurity@se.com",
            "tags": [
              "Vendor Advisory"
            ],
            "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-283-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-283-02.pdf"
          }
        ],
        "sourceIdentifier": "cybersecurity@se.com",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-502"
              }
            ],
            "source": "cybersecurity@se.com",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-5391 (GCVE-0-2023-5391)

GHSA-W228-FRCG-5X99

FKIE_CVE-2023-5391

CERTFR-2023-AVI-0818

Solution

CERTFR-2023-AVI-0818

Solution

ICSA-23-290-01

GSD-2023-5391

Tags

Sightings

Nomenclature