github - ghsa-v7vw-fpcc-2x25

ghsa-v7vw-fpcc-2x25

Vulnerability from github

Published

2023-09-06 00:30

Modified

2024-04-04 07:29

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

GE CIMPLICITY 2023 is by a process control vulnerability, which could allow a local attacker to insert malicious configuration files in the expected web server execution path to escalate privileges and gain full control of the HMI software.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-4487"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-114"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-05T23:15:08Z",
    "severity": "HIGH"
  },
  "details": "\nGE CIMPLICITY 2023 is by a process control vulnerability, which could allow a local attacker to insert malicious configuration files in the expected web server execution path to escalate privileges and gain full control of the HMI software.\n\n",
  "id": "GHSA-v7vw-fpcc-2x25",
  "modified": "2024-04-04T07:29:50Z",
  "published": "2023-09-06T00:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4487"
    },
    {
      "type": "WEB",
      "url": "https://digitalsupport.ge.com/s/article/GE-Digital-CIMPLICITY-Privilege-Escalation-Vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

cve-2023-4487

Vulnerability from cvelistv5

Published

2023-09-05 22:55

Modified

2024-08-02 07:31

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

GE Digital CIMPLICITY Process Control

References

▼	URL	Tags
	https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-02
	https://digitalsupport.ge.com/s/article/GE-Digital-CIMPLICITY-Privilege-Escalation-Vulnerability

Impacted products

▼	Vendor	Product
	GE Digital	CIMPLICITY

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:31:05.481Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-02"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://digitalsupport.ge.com/s/article/GE-Digital-CIMPLICITY-Privilege-Escalation-Vulnerability"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "CIMPLICITY",
          "vendor": "GE Digital",
          "versions": [
            {
              "status": "affected",
              "version": "2023"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "\u200bMichael Heinzl reported this vulnerability to CISA."
        }
      ],
      "datePublic": "2023-08-31T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eGE CIMPLICITY 2023 is by a process control vulnerability, which could allow a local attacker to insert malicious configuration files in the expected web server execution path to escalate privileges and gain full control of the HMI software.\u003c/span\u003e\n\n"
            }
          ],
          "value": "\nGE CIMPLICITY 2023 is by a process control vulnerability, which could allow a local attacker to insert malicious configuration files in the expected web server execution path to escalate privileges and gain full control of the HMI software.\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-114",
              "description": "CWE-114 Process Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-09-05T22:55:45.047Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-02"
        },
        {
          "url": "https://digitalsupport.ge.com/s/article/GE-Digital-CIMPLICITY-Privilege-Escalation-Vulnerability"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\n\u003cp\u003e\u200bGE Digital recommends users apply the following mitigations:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u200bUpdate CIMPLICITY to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://digitalsupport.ge.com/s/article/CIMPLICITY-2023-SIM-1?language=en_US\"\u003ev2023 SIM 1\u003c/a\u003e\u0026nbsp;(login is required)\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u200bPlease refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://digitalsupport.ge.com/s/article/GE-Digital-CIMPLICITY-Privilege-Escalation-Vulnerability\"\u003eGE Digital\u2019s security bulletin\u003c/a\u003e\u0026nbsp;(login is required) for more information.\u003c/p\u003e"
            }
          ],
          "value": "\n\u200bGE Digital recommends users apply the following mitigations:\n\n  *  \u200bUpdate CIMPLICITY to  v2023 SIM 1 https://digitalsupport.ge.com/s/article/CIMPLICITY-2023-SIM-1 \u00a0(login is required)\n\n\n\n\n\u200bPlease refer to  GE Digital\u2019s security bulletin https://digitalsupport.ge.com/s/article/GE-Digital-CIMPLICITY-Privilege-Escalation-Vulnerability \u00a0(login is required) for more information.\n\n"
        }
      ],
      "source": {
        "advisory": "\u200b\u200bICSA-23-243-02",
        "discovery": "EXTERNAL"
      },
      "title": "GE Digital CIMPLICITY Process Control",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2023-4487",
    "datePublished": "2023-09-05T22:55:45.047Z",
    "dateReserved": "2023-08-22T20:32:42.621Z",
    "dateUpdated": "2024-08-02T07:31:05.481Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted