Details of VAR-202304-1279

ID

VAR-202304-1279

CVE

CVE-2023-27976

TITLE

Schneider Electric of EcoStruxure Control Expert Vulnerability in leaking resources to the wrong area in

Trust: 0.8

sources: JVNDB: JVNDB-2023-008915

DESCRIPTION

A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that could cause remote code execution when a valid user visits a malicious link provided through the web endpoints. Affected Products: EcoStruxure Control Expert (V15.1 and above). Schneider Electric of EcoStruxure Control Expert Exists in a vulnerability related to the leakage of resources to the wrong area.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Schneider Electric EcoStruxure Control Expert is a set of programming software for Schneider Electric logic controller products produced by Schneider Electric in France. This vulnerability is caused by resources exposed in the wrong domain. Attackers can use this vulnerability to execute code remotely

Trust: 2.25

sources: NVD: CVE-2023-27976 // JVNDB: JVNDB-2023-008915 // CNVD: CNVD-2023-40176 // VULMON: CVE-2023-27976

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2023-40176

AFFECTED PRODUCTS

vendor:	schneider electric	model:	ecostruxure control expert	scope:	gte	version:	15.1	Trust: 1.0
vendor:	schneider electric	model:	ecostruxure control expert	scope:	eq	version:	15.1 that's all	Trust: 0.8
vendor:	schneider electric	model:	ecostruxure control expert	scope:	eq	version:	-	Trust: 0.8
vendor:	schneider electric	model:	ecostruxure control expert	scope:	-	version:	-	Trust: 0.8
vendor:	schneider	model:	electric ecostruxure control expert	scope:	lte	version:	<=15.1	Trust: 0.6

sources: CNVD: CNVD-2023-40176 // JVNDB: JVNDB-2023-008915 // NVD: CVE-2023-27976

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-27976
value:	HIGH
Trust: 1.0
cybersecurity@se.com:	CVE-2023-27976
value:	HIGH
Trust: 1.0
NVD:	CVE-2023-27976
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2023-40176
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202304-1422
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2023-40176
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2023-27976
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 2.0
NVD:	CVE-2023-27976
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2023-40176 // JVNDB: JVNDB-2023-008915 // CNNVD: CNNVD-202304-1422 // NVD: CVE-2023-27976 // NVD: CVE-2023-27976

PROBLEMTYPE DATA

problemtype:	CWE-668	Trust: 1.0
problemtype:	Leakage of resources to the wrong area (CWE-668) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-008915 // NVD: CVE-2023-27976

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202304-1422

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202304-1422

PATCH

title:	Patch for Schneider Electric EcoStruxure Control Expert Code Execution Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/428651	Trust: 0.6
title:	Schneider Electric EcoStruxure Control Expert Security vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=235096	Trust: 0.6

sources: CNVD: CNVD-2023-40176 // CNNVD: CNNVD-202304-1422

EXTERNAL IDS

db:	NVD	id:	CVE-2023-27976	Trust: 3.9
db:	SCHNEIDER	id:	SEVD-2023-101-03	Trust: 2.5
db:	JVNDB	id:	JVNDB-2023-008915	Trust: 0.8
db:	CNVD	id:	CNVD-2023-40176	Trust: 0.6
db:	CNNVD	id:	CNNVD-202304-1422	Trust: 0.6
db:	VULMON	id:	CVE-2023-27976	Trust: 0.1

sources: CNVD: CNVD-2023-40176 // VULMON: CVE-2023-27976 // JVNDB: JVNDB-2023-008915 // CNNVD: CNNVD-202304-1422 // NVD: CVE-2023-27976

REFERENCES

url:	https://download.schneider-electric.com/files?p_doc_ref=sevd-2023-101-03&p_endoctype=security+and+safety+notice&p_file_name=sevd-2023-101-03.pdf	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2023-27976	Trust: 1.4
url:	https://cxsecurity.com/cveshow/cve-2023-27976/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/668.html	Trust: 0.1
url:	https://https://download.schneider-electric.com/files?p_doc_ref=sevd-2023-101-03&p_endoctype=security+and+safety+notice&p_file_name=sevd-2023-101-03.pdf	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2023-40176 // VULMON: CVE-2023-27976 // JVNDB: JVNDB-2023-008915 // CNNVD: CNNVD-202304-1422 // NVD: CVE-2023-27976

SOURCES

db:	CNVD	id:	CNVD-2023-40176
db:	VULMON	id:	CVE-2023-27976
db:	JVNDB	id:	JVNDB-2023-008915
db:	CNNVD	id:	CNNVD-202304-1422
db:	NVD	id:	CVE-2023-27976

LAST UPDATE DATE

2024-08-14T14:10:09.414000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2023-40176	date:	2023-05-23T00:00:00
db:	VULMON	id:	CVE-2023-27976	date:	2023-04-18T00:00:00
db:	JVNDB	id:	JVNDB-2023-008915	date:	2023-12-04T04:46:00
db:	CNNVD	id:	CNNVD-202304-1422	date:	2023-04-27T00:00:00
db:	NVD	id:	CVE-2023-27976	date:	2023-05-12T05:15:17.957

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2023-40176	date:	2023-05-18T00:00:00
db:	VULMON	id:	CVE-2023-27976	date:	2023-04-18T00:00:00
db:	JVNDB	id:	JVNDB-2023-008915	date:	2023-12-04T00:00:00
db:	CNNVD	id:	CNNVD-202304-1422	date:	2023-04-18T00:00:00
db:	NVD	id:	CVE-2023-27976	date:	2023-04-18T17:15:07.287