CVE-2023-29446

An improper input validation vulnerability has been discovered that could allow an adversary to inject a UNC path via a malicious project file. This allows an adversary to capture NLTMv2 hashes and potentially crack them offline.
Configurations

Configuration 1 (hide)

cpe:2.3:a:ptc:kepware_kepserverex:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:ptc:thingworx_kepware_server:*:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:ptc:thingworx_industrial_connectivity:*:*:*:*:*:*:*:*

History

08 Oct 2024, 16:15

Type Values Removed Values Added
CWE CWE-40
Summary (en) An improper input validation vulnerability has been discovered that could allow an adversary to inject a UNC path via a malicious project file. This allows an adversary to capture NLTMv2 hashes and potentially crack them offline.  (en) An improper input validation vulnerability has been discovered that could allow an adversary to inject a UNC path via a malicious project file. This allows an adversary to capture NLTMv2 hashes and potentially crack them offline.

19 Jan 2024, 19:50

Type Values Removed Values Added
CWE CWE-20
First Time Ptc kepware Kepserverex
Ptc thingworx Kepware Server
Ptc thingworx Industrial Connectivity
Ptc
CPE cpe:2.3:a:ptc:kepware_kepserverex:*:*:*:*:*:*:*:*
cpe:2.3:a:ptc:thingworx_kepware_server:*:*:*:*:*:*:*:*
cpe:2.3:a:ptc:thingworx_industrial_connectivity:*:*:*:*:*:*:*:*
References () https://www.ptc.com/en/support/article/cs399528 - () https://www.ptc.com/en/support/article/cs399528 - Vendor Advisory
References () https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-03 - () https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-03 - Third Party Advisory, US Government Resource
References () https://www.dragos.com/advisory/ptcs-kepserverex-vulnerabilities/ - () https://www.dragos.com/advisory/ptcs-kepserverex-vulnerabilities/ - Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 4.7

10 Jan 2024, 21:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-01-10 21:15

Updated : 2024-10-08 16:15


NVD link : CVE-2023-29446

Mitre link : CVE-2023-29446

CVE.ORG link : CVE-2023-29446


JSON object : View

Products Affected

ptc

  • thingworx_kepware_server
  • thingworx_industrial_connectivity
  • kepware_kepserverex
CWE
CWE-20

Improper Input Validation

CWE-40

Path Traversal: '\\UNC\share\name\' (Windows UNC Share)