Lucene search

[email protected]CVE-2023-22601

HistoryJan 12, 2023 - 11:15 p.m.

CVE-2023-22601

2023-01-1223:15:10

CWE-330

[email protected]

web.nvd.nist.gov

inhand networks

inrouter 302

inrouter 615

vulnerability

cwe-330

insufficiently random values

mqtt

unauthorized user

nvd

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

8.4 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

56.1%

JSON

InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-330: Use of Insufficiently Random Values. They do not properly randomize MQTT ClientID parameters. An unauthorized user could calculate this parameter and use it to gather additional information about other InHand devices managed on the same cloud platform.

Affected configurations

NVD

Node

inhandnetworksinrouter302_firmwareRange<3.5.56

AND

inhandnetworksinrouter302Match-

Node

inhandnetworksinrouter615-s_firmwareRange<2.3.0.r5542

AND

inhandnetworksinrouter615-sMatch-

CPENameOperatorVersion
inhandnetworks:inrouter302_firmwareinhandnetworks inrouter302 firmwarelt3.5.56

CPE	Name	Operator	Version
inhandnetworks:inrouter302_firmware	inhandnetworks inrouter302 firmware	lt	3.5.56

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "InRouter 302",
    "vendor": "InHand Networks",
    "versions": [
      {
        "lessThan": "IR302 V3.5.56",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "InRouter 615",
    "vendor": "InHand Networks",
    "versions": [
      {
        "lessThan": "InRouter6XX-S-V2.3.0.r5542",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]