CVE-2023-32171

Unified Automation UaGateway OPC UA Server Null Pointer Dereference Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Unified Automation UaGateway. Authentication is required to exploit this vulnerability. The specific flaw exists within the ImportCsv method. A crafted XML payload can cause a null pointer dereference. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-20495.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector : AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://documentation.unified-automation.com/uagateway/1.5.14/CHANGELOG.txt
https://www.zerodayinitiative.com/advisories/ZDI-23-776/

Configurations

No configuration.

History

No history.

Information

Published : 2024-05-03 02:15

Updated : 2024-05-03 12:50

NVD link : CVE-2023-32171

Mitre link : CVE-2023-32171

CVE.ORG link : CVE-2023-32171

JSON object : View

Products Affected

No product.

CWE

CWE-476

NULL Pointer Dereference

{"id": "CVE-2023-32171", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "zdi-disclosures@trendmicro.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2024-05-03T02:15:22.593", "references": [{"url": "https://documentation.unified-automation.com/uagateway/1.5.14/CHANGELOG.txt", "source": "zdi-disclosures@trendmicro.com"}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-776/", "source": "zdi-disclosures@trendmicro.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "zdi-disclosures@trendmicro.com", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "Unified Automation UaGateway OPC UA Server Null Pointer Dereference Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Unified Automation UaGateway. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the ImportCsv method. A crafted XML payload can cause a null pointer dereference. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-20495."}, {"lang": "es", "value": "Vulnerabilidad de denegaci\u00f3n de servicio de desreferencia de puntero nulo del servidor UaGateway OPC UA de Unified Automation. Esta vulnerabilidad permite a atacantes remotos crear una condici\u00f3n de denegaci\u00f3n de servicio en las instalaciones afectadas de Unified Automation UaGateway. Se requiere autenticaci\u00f3n para aprovechar esta vulnerabilidad. La falla espec\u00edfica existe dentro del m\u00e9todo ImportCsv. un payload XML manipulada puede provocar una desreferencia del puntero nulo. Un atacante puede aprovechar esta vulnerabilidad para crear una condici\u00f3n de denegaci\u00f3n de servicio en el sistema. Era ZDI-CAN-20495."}], "lastModified": "2024-05-03T12:50:34.250", "sourceIdentifier": "zdi-disclosures@trendmicro.com"}