CVE-2023-29446

An improper input validation vulnerability has been discovered that could allow an adversary to inject a UNC path via a malicious project file. This allows an adversary to capture NLTMv2 hashes and potentially crack them offline.
Configurations

Configuration 1 (hide)

cpe:2.3:a:ptc:kepware_kepserverex:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:ptc:thingworx_kepware_server:*:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:ptc:thingworx_industrial_connectivity:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:57

Type Values Removed Values Added
References () https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-03 - Third Party Advisory, US Government Resource () https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-03 - Third Party Advisory, US Government Resource
References () https://www.dragos.com/advisory/ptcs-kepserverex-vulnerabilities/ - Third Party Advisory () https://www.dragos.com/advisory/ptcs-kepserverex-vulnerabilities/ - Third Party Advisory
References () https://www.ptc.com/en/support/article/cs399528 - Vendor Advisory () https://www.ptc.com/en/support/article/cs399528 - Vendor Advisory

08 Oct 2024, 16:15

Type Values Removed Values Added
Summary (en) An improper input validation vulnerability has been discovered that could allow an adversary to inject a UNC path via a malicious project file. This allows an adversary to capture NLTMv2 hashes and potentially crack them offline.  (en) An improper input validation vulnerability has been discovered that could allow an adversary to inject a UNC path via a malicious project file. This allows an adversary to capture NLTMv2 hashes and potentially crack them offline.
CWE CWE-40

19 Jan 2024, 19:50

Type Values Removed Values Added
CPE cpe:2.3:a:ptc:thingworx_kepware_server:*:*:*:*:*:*:*:*
cpe:2.3:a:ptc:kepware_kepserverex:*:*:*:*:*:*:*:*
cpe:2.3:a:ptc:thingworx_industrial_connectivity:*:*:*:*:*:*:*:*
First Time Ptc thingworx Industrial Connectivity
Ptc kepware Kepserverex
Ptc
Ptc thingworx Kepware Server
References () https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-03 - () https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-03 - Third Party Advisory, US Government Resource
References () https://www.dragos.com/advisory/ptcs-kepserverex-vulnerabilities/ - () https://www.dragos.com/advisory/ptcs-kepserverex-vulnerabilities/ - Third Party Advisory
References () https://www.ptc.com/en/support/article/cs399528 - () https://www.ptc.com/en/support/article/cs399528 - Vendor Advisory

11 Jan 2024, 13:57

Type Values Removed Values Added
Summary
  • (es) Se ha descubierto una vulnerabilidad de validación de entrada incorrecta que podría permitir a un adversario inyectar una ruta UNC a través de un archivo de proyecto malicioso. Esto permite a un adversario capturar hashes NLTMv2 y potencialmente descifrarlos offline.

10 Jan 2024, 21:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-01-10 21:15

Updated : 2024-11-21 07:57


NVD link : CVE-2023-29446

Mitre link : CVE-2023-29446

CVE.ORG link : CVE-2023-29446


JSON object : View

Products Affected

ptc

  • thingworx_industrial_connectivity
  • kepware_kepserverex
  • thingworx_kepware_server
CWE
CWE-40

Path Traversal: '\\UNC\share\name\' (Windows UNC Share)

CWE-20

Improper Input Validation