CVE-2023-0755

The affected products are vulnerable to an improper validation of array index, which could allow an attacker to crash the server and remotely execute arbitrary code.

CVSS v3.0 9.8 CRITICAL

9.8^/10

CVSS v3.0 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-23-054-01	Third Party Advisory US Government Resource

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ptc:thingworx_industrial_connectivity:-:::::::*
	cpe:2.3:a:rockwellautomation:kepserver_enterprise::::::::
	cpe:2.3:a:ptc:thingworx_kepware_edge::::::::
	cpe:2.3:a:ptc:thingworx_.net-sdk::::::::
	cpe:2.3:a:ptc:thingworx_edge_c-sdk::::::::
	cpe:2.3:a:ptc:thingworx_edge_microserver::::::::
	cpe:2.3:a:ptc:kepware_serverex::::::::
	cpe:2.3:a:ge:digital_industrial_gateway_server::::::::
	cpe:2.3:a:ptc:kepware_server::::::::

Information

Published : 2023-02-23 14:15

Updated : 2023-03-03 09:39

NVD link : CVE-2023-0755

Mitre link : CVE-2023-0755

JSON object : View

CWE

CWE-129

Improper Validation of Array Index

Advertisement

Products Affected

ptc

kepware_server
thingworx_edge_c-sdk
thingworx_edge_microserver
thingworx_industrial_connectivity
kepware_serverex
thingworx_kepware_edge
thingworx_.net-sdk

ge

digital_industrial_gateway_server

rockwellautomation

kepserver_enterprise

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-054-01", "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-054-01", "tags": ["Third Party Advisory", "US Government Resource"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The affected products are vulnerable to an improper validation of array index, which could allow an attacker to crash the server and remotely execute arbitrary code."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-129"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2023-0755", "ASSIGNER": "ics-cert@hq.dhs.gov"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}}, "publishedDate": "2023-02-23T22:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:ptc:thingworx_industrial_connectivity:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:rockwellautomation:kepserver_enterprise:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "6.12"}, {"cpe23Uri": "cpe:2.3:a:ptc:thingworx_kepware_edge:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "1.5"}, {"cpe23Uri": "cpe:2.3:a:ptc:thingworx_.net-sdk:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "5.8.4.971"}, {"cpe23Uri": "cpe:2.3:a:ptc:thingworx_edge_c-sdk:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "2.2.12.1052"}, {"cpe23Uri": "cpe:2.3:a:ptc:thingworx_edge_microserver:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "5.4.10.0"}, {"cpe23Uri": "cpe:2.3:a:ptc:kepware_serverex:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "6.12"}, {"cpe23Uri": "cpe:2.3:a:ge:digital_industrial_gateway_server:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "7.612"}, {"cpe23Uri": "cpe:2.3:a:ptc:kepware_server:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "6.12"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2023-03-03T17:39Z"}