CVE-2023-2621

The McFeeder server (distributed as part of SSW package), is susceptible to an arbitrary file write vulnerability on the MAIN computer system. This vulnerability stems from the use of an outdated version of a third-party library, which is used to extract archives uploaded to McFeeder server. An authenticated malicious client can exploit this vulnerability by uploading a crafted ZIP archive via the network to McFeeder’s service endpoint.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://publisher.hitachienergy.com/preview?DocumentId=8DBD000177&languageCode=en&Preview=true	Vendor Advisory
https://publisher.hitachienergy.com/preview?DocumentId=8DBD000177&languageCode=en&Preview=true	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:hitachienergy:modular_advanced_control_for_hvdc:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:58

Type	Values Removed	Values Added
References	~~() https://publisher.hitachienergy.com/preview?DocumentId=8DBD000177&languageCode=en&Preview=true - Vendor Advisory~~	() https://publisher.hitachienergy.com/preview?DocumentId=8DBD000177&languageCode=en&Preview=true - Vendor Advisory

08 Nov 2023, 20:24

Type	Values Removed	Values Added
References	~~(MISC) https://publisher.hitachienergy.com/preview?DocumentId=8DBD000177&languageCode=en&Preview=true -~~	(MISC) https://publisher.hitachienergy.com/preview?DocumentId=8DBD000177&languageCode=en&Preview=true - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
CWE		CWE-22
CPE		cpe:2.3:a:hitachienergy:modular_advanced_control_for_hvdc::::::::
First Time		Hitachienergy Hitachienergy modular Advanced Control For Hvdc

01 Nov 2023, 03:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-11-01 03:15

Updated : 2024-11-21 07:58

NVD link : CVE-2023-2621

Mitre link : CVE-2023-2621

CVE.ORG link : CVE-2023-2621

JSON object : View

Products Affected

hitachienergy

modular_advanced_control_for_hvdc

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2023-2621", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cybersecurity@hitachienergy.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2023-11-01T03:15:07.790", "references": [{"url": "https://publisher.hitachienergy.com/preview?DocumentId=8DBD000177&languageCode=en&Preview=true", "tags": ["Vendor Advisory"], "source": "cybersecurity@hitachienergy.com"}, {"url": "https://publisher.hitachienergy.com/preview?DocumentId=8DBD000177&languageCode=en&Preview=true", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cybersecurity@hitachienergy.com", "description": [{"lang": "en", "value": "CWE-22"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "\nThe McFeeder server (distributed as part of SSW package), is susceptible to an arbitrary file write vulnerability on the MAIN computer\nsystem. This vulnerability stems from the use of an outdated version of a third-party library, which is used to extract archives uploaded to McFeeder server. An authenticated malicious client can\nexploit this vulnerability by uploading a crafted ZIP archive via the\nnetwork to McFeeder\u2019s service endpoint.\n\n"}, {"lang": "es", "value": "El servidor McFeeder (distribuido como parte del paquete SSW) es susceptible a una vulnerabilidad de escritura de archivos arbitraria en el sistema inform\u00e1tico PRINCIPAL. Esta vulnerabilidad se debe al uso de una versi\u00f3n desactualizada de una librer\u00eda de terceros, que se utiliza para extraer archivos cargados en el servidor McFeeder. Un cliente malicioso autenticado puede aprovechar esta vulnerabilidad cargando un archivo ZIP manipulado a trav\u00e9s de la red en el endpoint del servicio de McFeeder."}], "lastModified": "2024-11-21T07:58:56.940", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hitachienergy:modular_advanced_control_for_hvdc:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5DC6F37B-1068-4138-9327-6CD510934849", "versionEndExcluding": "7.17.0.0", "versionStartIncluding": "5.0"}], "operator": "OR"}]}], "sourceIdentifier": "cybersecurity@hitachienergy.com"}