CVE-2023-2621

The McFeeder server (distributed as part of SSW package), is susceptible to an arbitrary file write vulnerability on the MAIN computer system. This vulnerability stems from the use of an outdated version of a third-party library, which is used to extract archives uploaded to McFeeder server. An authenticated malicious client can exploit this vulnerability by uploading a crafted ZIP archive via the network to McFeeder’s service endpoint.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://publisher.hitachienergy.com/preview?DocumentId=8DBD000177&languageCode=en&Preview=true	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:hitachienergy:modular_advanced_control_for_hvdc:*:*:*:*:*:*:*:*

History

08 Nov 2023, 20:24

Type	Values Removed	Values Added
First Time		Hitachienergy Hitachienergy modular Advanced Control For Hvdc
CPE		cpe:2.3:a:hitachienergy:modular_advanced_control_for_hvdc::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
CWE		CWE-22
References	~~(MISC) https://publisher.hitachienergy.com/preview?DocumentId=8DBD000177&languageCode=en&Preview=true -~~	(MISC) https://publisher.hitachienergy.com/preview?DocumentId=8DBD000177&languageCode=en&Preview=true - Vendor Advisory

01 Nov 2023, 03:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-11-01 03:15

Updated : 2023-12-10 15:14

NVD link : CVE-2023-2621

Mitre link : CVE-2023-2621

CVE.ORG link : CVE-2023-2621

JSON object : View

Products Affected

hitachienergy

modular_advanced_control_for_hvdc

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2023-2621", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "cybersecurity@hitachienergy.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2023-11-01T03:15:07.790", "references": [{"url": "https://publisher.hitachienergy.com/preview?DocumentId=8DBD000177&languageCode=en&Preview=true", "tags": ["Vendor Advisory"], "source": "cybersecurity@hitachienergy.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}, {"type": "Secondary", "source": "cybersecurity@hitachienergy.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "\nThe McFeeder server (distributed as part of SSW package), is susceptible to an arbitrary file write vulnerability on the MAIN computer\nsystem. This vulnerability stems from the use of an outdated version of a third-party library, which is used to extract archives uploaded to McFeeder server. An authenticated malicious client can\nexploit this vulnerability by uploading a crafted ZIP archive via the\nnetwork to McFeeder\u2019s service endpoint.\n\n"}, {"lang": "es", "value": "El servidor McFeeder (distribuido como parte del paquete SSW) es susceptible a una vulnerabilidad de escritura de archivos arbitraria en el sistema inform\u00e1tico PRINCIPAL. Esta vulnerabilidad se debe al uso de una versi\u00f3n desactualizada de una librer\u00eda de terceros, que se utiliza para extraer archivos cargados en el servidor McFeeder. Un cliente malicioso autenticado puede aprovechar esta vulnerabilidad cargando un archivo ZIP manipulado a trav\u00e9s de la red en el endpoint del servicio de McFeeder."}], "lastModified": "2023-11-08T20:24:04.207", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hitachienergy:modular_advanced_control_for_hvdc:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5DC6F37B-1068-4138-9327-6CD510934849", "versionEndExcluding": "7.17.0.0", "versionStartIncluding": "5.0"}], "operator": "OR"}]}], "sourceIdentifier": "cybersecurity@hitachienergy.com"}