Lucene search

SchneiderCVE-2023-6032

HistoryNov 15, 2023 - 4:15 a.m.

CVE-2023-6032

2023-11-1504:15:19

CWE-22

schneider

web.nvd.nist.gov

cve-2023-6032

cwe-22

path traversal

file system enumeration

file download

https

nvd

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.3

Confidence

High

EPSS

0.001

Percentile

17.6%

JSON

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
vulnerability exists that could cause a file system enumeration and file download when an
attacker navigates to the Network Management Card via HTTPS.

Affected configurations

Nvd

Node

schneider-electricgalaxy_vl_firmwareMatch12.21

AND

schneider-electricgalaxy_vlMatch-

Node

schneider-electricgalaxy_vs_firmwareMatch6.82

AND

schneider-electricgalaxy_vsMatch-

VendorProductVersionCPE
schneider-electricgalaxy_vl_firmware12.21cpe:2.3:o:schneider-electric:galaxy_vl_firmware:12.21:*:*:*:*:*:*:*
schneider-electricgalaxy_vl-cpe:2.3:h:schneider-electric:galaxy_vl:-:*:*:*:*:*:*:*
schneider-electricgalaxy_vs_firmware6.82cpe:2.3:o:schneider-electric:galaxy_vs_firmware:6.82:*:*:*:*:*:*:*
schneider-electricgalaxy_vs-cpe:2.3:h:schneider-electric:galaxy_vs:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
schneider-electric	galaxy_vl_firmware	12.21	cpe:2.3:o:schneider-electric:galaxy_vl_firmware:12.21:::::::*
schneider-electric	galaxy_vl	-	cpe:2.3:h:schneider-electric:galaxy_vl:-:::::::*
schneider-electric	galaxy_vs_firmware	6.82	cpe:2.3:o:schneider-electric:galaxy_vs_firmware:6.82:::::::*
schneider-electric	galaxy_vs	-	cpe:2.3:h:schneider-electric:galaxy_vs:-:::::::*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Galaxy VS",
    "vendor": "Schneider Electric",
    "versions": [
      {
        "status": "affected",
        "version": "v6.82"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Galaxy VL",
    "vendor": "Schneider Electric",
    "versions": [
      {
        "status": "affected",
        "version": "v12.21"
      }
    ]
  }
]

References

download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-318-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-318-03.pdf

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.3

Confidence

High

EPSS

0.001

Percentile

17.6%

JSON

Related for CVE-2023-6032