Lucene search

[email protected]NVD:CVE-2023-22600

HistoryJan 12, 2023 - 11:15 p.m.

CVE-2023-22600

2023-01-1223:15:10

CWE-284

[email protected]

web.nvd.nist.gov

inrouter 302

inrouter 615

improper access control

mqtt topics

unauthorized users

configuration commands

reboot commands

firmware updates.

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

52.1%

JSON

InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-284: Improper Access Control. They allow unauthenticated devices to subscribe to MQTT topics on the same network as the device manager. An unauthorized user who knows of an existing topic name could send and receive messages to and from that topic. This includes the ability to send GET/SET configuration commands, reboot commands, and push firmware updates.

Affected configurations

NVD

Node

inhandnetworksinrouter302_firmwareRange<3.5.56

AND

inhandnetworksinrouter302Match-

Node

inhandnetworksinrouter615-s_firmwareRange<2.3.0.r5542

AND

inhandnetworksinrouter615-sMatch-

References

www.cisa.gov/uscert/ics/advisories/icsa-23-012-03

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

52.1%

JSON

Related for NVD:CVE-2023-22600

cvelist1 cve1 prion1 ics1 thn2