CVE-2023-6269

An argument injection vulnerability has been identified in the administrative web interface of the Atos Unify OpenScape products "Session Border Controller" (SBC) and "Branch", before version V10 R3.4.0, and OpenScape "BCF" before versions V10R10.12.00 and V10R11.05.02. This allows an unauthenticated attacker to gain root access to the appliance via SSH (scope change) and also bypass authentication for the administrative interface and gain access as an arbitrary (administrative) user.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:atos:unify_openscape_bcf:*:*:*:*:*:*:*:*
cpe:2.3:a:atos:unify_openscape_branch:*:*:*:*:*:*:*:*
cpe:2.3:a:atos:unify_openscape_session_border_controller:*:*:*:*:*:*:*:*

History

13 Dec 2023, 17:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.8
CWE CWE-88
First Time Atos unify Openscape Session Border Controller
Atos unify Openscape Bcf
Atos unify Openscape Branch
Atos
References
  • () http://seclists.org/fulldisclosure/2023/Dec/16 -
  • () http://packetstormsecurity.com/files/176194/Atos-Unify-OpenScape-Authentication-Bypass-Remote-Code-Execution.html -
References () https://networks.unify.com/security/advisories/OBSO-2310-01.pdf - () https://networks.unify.com/security/advisories/OBSO-2310-01.pdf - Vendor Advisory
References () https://r.sec-consult.com/unifyroot - () https://r.sec-consult.com/unifyroot - Exploit, Third Party Advisory
CPE cpe:2.3:a:atos:unify_openscape_bcf:*:*:*:*:*:*:*:*
cpe:2.3:a:atos:unify_openscape_branch:*:*:*:*:*:*:*:*
cpe:2.3:a:atos:unify_openscape_session_border_controller:*:*:*:*:*:*:*:*

05 Dec 2023, 08:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-12-05 08:15

Updated : 2024-02-28 20:54


NVD link : CVE-2023-6269

Mitre link : CVE-2023-6269

CVE.ORG link : CVE-2023-6269


JSON object : View

Products Affected

atos

  • unify_openscape_session_border_controller
  • unify_openscape_bcf
  • unify_openscape_branch
CWE
CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')