CVE-2023-28395

2023-03-2820:15:15

CWE-338

[email protected]

web.nvd.nist.gov

vulnerability

osprey pump controller

session hijacking

unauthorized access

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

8.4

Confidence

High

EPSS

0.001

Percentile

30.8%

JSON

Osprey Pump Controller version 1.01 is vulnerable to a weak session token generation algorithm that can be predicted and can aid in authentication and authorization bypass. This may allow an attacker to hijack a session by predicting the session id and gain unauthorized access to the product.

Affected configurations

Nvd

Node

propumpserviceosprey_pump_controller_firmwareMatch1.01

AND

propumpserviceosprey_pump_controllerMatch-

VendorProductVersionCPE
propumpserviceosprey_pump_controller_firmware1.01cpe:2.3:o:propumpservice:osprey_pump_controller_firmware:1.01:*:*:*:*:*:*:*
propumpserviceosprey_pump_controller-cpe:2.3:h:propumpservice:osprey_pump_controller:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
propumpservice	osprey_pump_controller_firmware	1.01	cpe:2.3:o:propumpservice:osprey_pump_controller_firmware:1.01:::::::*
propumpservice	osprey_pump_controller	-	cpe:2.3:h:propumpservice:osprey_pump_controller:-:::::::*