CVE-2023-46723

lte-pic32-writer is a writer for PIC32 devices. In versions 0.0.1 and prior, those who use `sendto.txt` are vulnerable to attackers who known the IMEI reading the sendto.txt. The sendto.txt file can contain the SNS(such as slack and zulip) URL and API key. As of time of publication, a patch is not yet available. As workarounds, avoid using `sendto.txt` or use `.htaccess` to block access to `sendto.txt`.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/paijp/lte-pic32-writer/security/advisories/GHSA-9qgg-ph2v-v4mh	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:pajip:lte-pic32-writer:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-10-31 16:15

Updated : 2023-11-08 17:54

NVD link : CVE-2023-46723

Mitre link : CVE-2023-46723

CVE.ORG link : CVE-2023-46723

JSON object : View

Products Affected

pajip

lte-pic32-writer

CWE

NVD-CWE-noinfo CWE-538

Insertion of Sensitive Information into Externally-Accessible File or Directory

{"id": "CVE-2023-46723", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.9, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.2}]}, "published": "2023-10-31T16:15:10.233", "references": [{"url": "https://github.com/paijp/lte-pic32-writer/security/advisories/GHSA-9qgg-ph2v-v4mh", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-538"}]}], "descriptions": [{"lang": "en", "value": "lte-pic32-writer is a writer for PIC32 devices. In versions 0.0.1 and prior, those who use `sendto.txt` are vulnerable to attackers who known the IMEI reading the sendto.txt. The sendto.txt file can contain the SNS(such as slack and zulip) URL and API key. As of time of publication, a patch is not yet available. As workarounds, avoid using `sendto.txt` or use `.htaccess` to block access to `sendto.txt`."}, {"lang": "es", "value": "lte-pic32-writer es un escritor para dispositivos PIC32. En las versiones 0.0.1 y anteriores, quienes usan `sendto.txt` son vulnerables a los atacantes que conocen el IMEI al leer el sendto.txt. El archivo sendto.txt puede contener la URL SNS (como slack y zulip) y la clave API. Al momento de la publicaci\u00f3n, a\u00fan no hay ning\u00fan parche disponible. Como workarounds, evite usar `sendto.txt` o use `.htaccess` para bloquear el acceso a `sendto.txt`."}], "lastModified": "2023-11-08T17:54:38.240", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pajip:lte-pic32-writer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1F94643F-9864-43BF-90F7-395B0920146C", "versionEndExcluding": "0.0.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}