CVE-2023-3663

2023-08-0311:15:10

CWE-345

[email protected]

web.nvd.nist.gov

cve-2023-3663

codesys

integrity check

remote attacker

http

notification server

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

49.7%

JSON

In CODESYS Development System versions from 3.5.11.20 and before 3.5.19.20 a missing integrity check might allow an unauthenticated remote attacker to manipulate the content of notifications received via HTTP by the CODESYS notification server.

Affected configurations

NVD

Node

codesysdevelopment_systemRange3.5.11.20–3.5.19.20

CPENameOperatorVersion
codesys:development_systemcodesys development systemlt3.5.19.20

CPE	Name	Operator	Version
codesys:development_system	codesys development system	lt	3.5.19.20

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "CODESYS Development System",
    "vendor": "CODESYS",
    "versions": [
      {
        "lessThan": "3.5.19.20",
        "status": "affected",
        "version": "3.5.11.20",
        "versionType": "semver"
      }
    ]
  }
]