VDE-2023-043

Vulnerability from csaf_helmholzgmbhcokg - Published: 2023-10-16 08:38 - Updated: 2023-10-16 08:38
Summary
Helmholz: Vulnerability allows access to non-critical information in myREX24 and myREX24.virtual
Notes
Remediation: Update to latest Version 2.14.3
Impact: An authenticated, low privileged attacker can gain read access to limited, non-critical device information in his account he should not have access to.
Summary: A vulnerability in the affected products allows an authenticated, low-privileged attacker to gain unauthorized read access to limited, non-critical device information. The issue arises from improper access validation.
CVE-2023-4834

In Red Lion Europe mbCONNECT24 and mymbCONNECT24 and Helmholz myREX24 and myREX24.virtual up to and including 2.14.2 an improperly implemented access validation allows an authenticated, low privileged attacker to gain read access to limited, non-critical device information in his account he should not have access to.

4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE-269 - Improper Privilege Management
Vendor Fix Update to latest Version 2.14.3
References
Acknowledgments
CERT@VDE certvde.com
OTORIO
Red Lion Europe
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      },
      {
        "organization": "OTORIO",
        "summary": "reporting"
      },
      {
        "organization": "Red Lion Europe",
        "summary": "reporting"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "description",
        "text": "Update to latest Version 2.14.3",
        "title": "Remediation"
      },
      {
        "category": "description",
        "text": "An authenticated, low privileged attacker can gain read access to limited, non-critical device information in his account he should not have access to.",
        "title": "Impact"
      },
      {
        "category": "summary",
        "text": "A vulnerability in the affected products allows an authenticated, low-privileged attacker to gain unauthorized read access to limited, non-critical device information. The issue arises from improper access validation.",
        "title": "Summary"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@helmholz.de",
      "name": "Helmholz GmbH \u0026 Co. KG",
      "namespace": "https://www.helmholz.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "VDE-2023-043: Helmholz: Vulnerability allows access to non-critical information in myREX24 and myREX24.virtual - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2023-043/"
      },
      {
        "category": "self",
        "summary": "VDE-2023-043: Helmholz: Vulnerability allows access to non-critical information in myREX24 and myREX24.virtual - CSAF",
        "url": "https://helmholz.csaf-tp.certvde.com/.well-known/csaf/white/2023/vde-2023-043.json"
      },
      {
        "category": "external",
        "summary": "Vendor PSIRT",
        "url": "https://www.helmholz.de"
      },
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for Helmholz GmbH \u0026 Co. KG",
        "url": "https://certvde.com/en/advisories/vendor/helmholz/"
      }
    ],
    "title": "Helmholz: Vulnerability allows access to non-critical information in myREX24 and myREX24.virtual",
    "tracking": {
      "aliases": [
        "VDE-2023-043"
      ],
      "current_release_date": "2023-10-16T08:38:00.000Z",
      "generator": {
        "date": "2025-06-25T05:44:35.297Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.28"
        }
      },
      "id": "VDE-2023-043",
      "initial_release_date": "2023-10-16T08:38:00.000Z",
      "revision_history": [
        {
          "date": "2023-10-16T08:38:00.000Z",
          "number": "1.0.0",
          "summary": "Initial revision."
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "\u003c=2.14.2",
                    "product": {
                      "name": "myREX24 \u003c=2.14.2",
                      "product_id": "CSAFPID-51001"
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "2.14.3",
                    "product": {
                      "name": "myREX24 2.14.3",
                      "product_id": "CSAFPID-52001"
                    }
                  }
                ],
                "category": "product_name",
                "name": "myREX24"
              },
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "\u003c=2.14.2",
                    "product": {
                      "name": "myREX24.virtual \u003c=2.14.2",
                      "product_id": "CSAFPID-51002"
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "2.14.3",
                    "product": {
                      "name": "myREX24.virtual 2.14.3",
                      "product_id": "CSAFPID-52002"
                    }
                  }
                ],
                "category": "product_name",
                "name": "myREX24.virtual"
              }
            ],
            "category": "product_family",
            "name": "Software"
          }
        ],
        "category": "vendor",
        "name": "Helmholz"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-51001",
          "CSAFPID-51002"
        ],
        "summary": "Affected products."
      },
      {
        "group_id": "CSAFGID-0002",
        "product_ids": [
          "CSAFPID-52001",
          "CSAFPID-52002"
        ],
        "summary": "Fixed products."
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-4834",
      "cwe": {
        "id": "CWE-269",
        "name": "Improper Privilege Management"
      },
      "notes": [
        {
          "category": "description",
          "text": "In Red Lion Europe\u00a0mbCONNECT24 and mymbCONNECT24 and Helmholz myREX24 and myREX24.virtual up to and including 2.14.2 an\u00a0improperly implemented access validation allows an authenticated, low privileged\u00a0attacker to gain read access to limited, non-critical device information in his account he should not have access to.\n\n\n\n\t\t\t\t\t\n\n\n\t\t\t\t\n\n\n\t\t\t\n\n\n\t\t\n\n\n\t\n",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-52001",
          "CSAFPID-52002"
        ],
        "known_affected": [
          "CSAFPID-51001",
          "CSAFPID-51002"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Update to latest Version 2.14.3",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "environmentalScore": 4.3,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 4.3,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-51001",
            "CSAFPID-51002"
          ]
        }
      ],
      "title": "CVE-2023-4834"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.