Lucene search

IcscertCVELIST:CVE-2023-28395

HistoryMar 28, 2023 - 7:59 p.m.

CVE-2023-28395 CVE-2023-28395

2023-03-2819:59:29

icscert

www.cve.org

osprey pump controller

weak session token

authentication bypass

authorization bypass

predictable session id

unauthorized access

CVSS3

8.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L

AI Score

8.6

Confidence

High

EPSS

0.001

Percentile

30.8%

JSON

Osprey Pump Controller version 1.01 is vulnerable to a weak session token generation algorithm that can be predicted and can aid in authentication and authorization bypass. This may allow an attacker to hijack a session by predicting the session id and gain unauthorized access to the product.

CNA Affected

[
  {
    "vendor": "ProPump and Controls, Inc.",
    "product": "Osprey Pump Controller",
    "versions": [
      {
        "status": "affected",
        "version": "1.01"
      }
    ]
  }
]

References

www.cisa.gov/news-events/ics-advisories/icsa-23-082-06

CVSS3

8.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L

AI Score

8.6

Confidence

High

EPSS

0.001

Percentile

30.8%

JSON

Related for CVELIST:CVE-2023-28395