CVE-2023-39167 - Vulnerability Details - OpenCVE

ReportizFlow

In SENEC Storage Box V1,V2 and V3 an unauthenticated remote attacker can obtain the devices' logfiles that contain sensitive data.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Enbw	Senec Storage Box Senec Storage Box Firmware

Configuration 1 [-]

AND

cpe:2.3:o:enbw:senec_storage_box_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:enbw:senec_storage_box:v1:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:enbw:senec_storage_box_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:enbw:senec_storage_box:v2:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:enbw:senec_storage_box_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:enbw:senec_storage_box:v3:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://seclists.org/fulldisclosure/2023/Nov/5

History

No history.

MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published: 2023-12-07T14:05:01.746Z

Updated: 2024-08-02T18:02:06.516Z

Reserved: 2023-07-25T14:06:01.343Z

Link: CVE-2023-39167

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-12-07T14:15:07.467

Modified: 2024-11-21T08:14:50.490

Link: CVE-2023-39167

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-39167", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "state": "PUBLISHED", "assignerShortName": "CERTVDE", "dateReserved": "2023-07-25T14:06:01.343Z", "datePublished": "2023-12-07T14:05:01.746Z", "dateUpdated": "2024-08-02T18:02:06.516Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Storage Box V1", "vendor": "SENEC", "versions": [{"status": "affected", "version": "all (until 19.06.2023)"}]}, {"defaultStatus": "unaffected", "product": "Storage Box V2", "vendor": "SENEC", "versions": [{"status": "affected", "version": "all (until 19.06.2023)"}]}, {"defaultStatus": "unaffected", "product": "Storage Box V3", "vendor": "SENEC", "versions": [{"status": "affected", "version": "all (until 19.06.2023)"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Ph0s[4]"}, {"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "R0ckE7"}], "datePublic": "2023-12-07T14:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In SENEC Storage Box V1,V2 and V3 an unauthenticated remote attacker can obtain the devices' logfiles that contain sensitive data."}], "value": "In\u00a0SENEC Storage Box V1,V2 and V3 an unauthenticated remote attacker can obtain the devices' logfiles that contain sensitive data."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2023-12-14T14:35:53.018Z"}, "references": [{"url": "https://seclists.org/fulldisclosure/2023/Nov/5"}], "source": {"defect": ["CERT@VDE#64567"], "discovery": "EXTERNAL"}, "title": "SENEC: Storage Box V1,V2 and V3 affected by improper access control vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:02:06.516Z"}, "title": "CVE Program Container", "references": [{"url": "https://seclists.org/fulldisclosure/2023/Nov/5", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:enbw:senec_storage_box_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "8C6796ED-84F3-47E8-BD21-5CEBC1DD62E0", "versionEndIncluding": "2023-06-19", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:enbw:senec_storage_box:v1:*:*:*:*:*:*:*", "matchCriteriaId": "1A73E447-D78F-420B-B256-1F157A6DA364", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:enbw:senec_storage_box_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "8C6796ED-84F3-47E8-BD21-5CEBC1DD62E0", "versionEndIncluding": "2023-06-19", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:enbw:senec_storage_box:v2:*:*:*:*:*:*:*", "matchCriteriaId": "300B219B-45CA-44C0-AC39-D94057FA8860", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:enbw:senec_storage_box_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "8C6796ED-84F3-47E8-BD21-5CEBC1DD62E0", "versionEndIncluding": "2023-06-19", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:enbw:senec_storage_box:v3:*:*:*:*:*:*:*", "matchCriteriaId": "449C542C-CAE3-42A9-BF45-EE6E828A4EBE", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "In\u00a0SENEC Storage Box V1,V2 and V3 an unauthenticated remote attacker can obtain the devices' logfiles that contain sensitive data."}, {"lang": "es", "value": "En SENEC Storage Box V1, V2 y V3, un atacante remoto no autenticado puede obtener los archivos de registro de los dispositivos que contienen datos confidenciales."}], "id": "CVE-2023-39167", "lastModified": "2024-11-21T08:14:50.490", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}]}, "published": "2023-12-07T14:15:07.467", "references": [{"source": "[email protected]", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "https://seclists.org/fulldisclosure/2023/Nov/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "https://seclists.org/fulldisclosure/2023/Nov/5"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "[email protected]", "type": "Secondary"}]}