CVE-2023-3379

Wago web-based management of multiple products has a vulnerability which allows an local authenticated attacker to change the passwords of other non-admin users and thus to escalate non-root privileges.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://cert.vde.com/en/advisories/VDE-2023-015/	Third Party Advisory
https://cert.vde.com/en/advisories/VDE-2023-015/	Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:wago:compact_controller_100_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:wago:compact_controller_100:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:wago:edge_controller_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:wago:edge_controller:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

OR	cpe:2.3:o:wago:pfc100_firmware::::::::
	cpe:2.3:o:wago:pfc100_firmware:22:-::::::
	cpe:2.3:o:wago:pfc100_firmware:22:patch_1::::::

cpe:2.3:h:wago:pfc100:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

OR	cpe:2.3:o:wago:pfc200_firmware::::::::
	cpe:2.3:o:wago:pfc200_firmware:22:-::::::
	cpe:2.3:o:wago:pfc200_firmware:22:patch_1::::::
	cpe:2.3:o:wago:pfc200_firmware:23:::::::*
	cpe:2.3:o:wago:pfc200_firmware:24:::::::*

cpe:2.3:h:wago:pfc200:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:wago:touch_panel_600_advanced_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:wago:touch_panel_600_advanced:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:wago:touch_panel_600_marine_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:wago:touch_panel_600_marine:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:wago:touch_panel_600_standard_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:wago:touch_panel_600_standard:-:*:*:*:*:*:*:*

History

21 Nov 2024, 08:17

Type	Values Removed	Values Added
References	~~() https://cert.vde.com/en/advisories/VDE-2023-015/ - Third Party Advisory~~	() https://cert.vde.com/en/advisories/VDE-2023-015/ - Third Party Advisory

02 Oct 2024, 06:15

Type	Values Removed	Values Added
CWE	~~CWE-269~~	CWE-863

30 Nov 2023, 15:16

Type	Values Removed	Values Added
References	~~() https://cert.vde.com/en/advisories/VDE-2023-015/ -~~	() https://cert.vde.com/en/advisories/VDE-2023-015/ - Third Party Advisory
CPE		cpe:2.3:h:wago:edge_controller:-:::::::* cpe:2.3:o:wago:pfc200_firmware:23:::::::* cpe:2.3:h:wago:pfc100:-:::::::* cpe:2.3:o:wago:pfc200_firmware:22:patch_1:::::: cpe:2.3:o:wago:pfc100_firmware:22:-:::::: cpe:2.3:o:wago:compact_controller_100_firmware:::::::: cpe:2.3:o:wago:edge_controller_firmware:::::::: cpe:2.3:o:wago:touch_panel_600_advanced_firmware:::::::: cpe:2.3:h:wago:touch_panel_600_marine:-:::::::* cpe:2.3:o:wago:touch_panel_600_marine_firmware:::::::: cpe:2.3:o:wago:pfc100_firmware:22:patch_1:::::: cpe:2.3:h:wago:compact_controller_100:-:::::::* cpe:2.3:o:wago:pfc200_firmware:22:-:::::: cpe:2.3:o:wago:touch_panel_600_standard_firmware:::::::: cpe:2.3:h:wago:pfc200:-:::::::* cpe:2.3:h:wago:touch_panel_600_standard:-:::::::* cpe:2.3:o:wago:pfc100_firmware:::::::: cpe:2.3:o:wago:pfc200_firmware:::::::: cpe:2.3:h:wago:touch_panel_600_advanced:-:::::::* cpe:2.3:o:wago:pfc200_firmware:24:::::::*
First Time		Wago touch Panel 600 Standard Firmware Wago pfc200 Wago touch Panel 600 Advanced Wago pfc100 Firmware Wago touch Panel 600 Marine Firmware Wago compact Controller 100 Wago compact Controller 100 Firmware Wago pfc200 Firmware Wago touch Panel 600 Advanced Firmware Wago Wago touch Panel 600 Marine Wago pfc100 Wago edge Controller Firmware Wago edge Controller Wago touch Panel 600 Standard
CWE		NVD-CWE-noinfo

20 Nov 2023, 08:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-11-20 08:15

Updated : 2024-11-21 08:17

NVD link : CVE-2023-3379

Mitre link : CVE-2023-3379

CVE.ORG link : CVE-2023-3379

JSON object : View

Products Affected

wago

compact_controller_100_firmware
compact_controller_100
pfc200
touch_panel_600_standard_firmware
pfc200_firmware
touch_panel_600_marine_firmware
edge_controller_firmware
pfc100_firmware
touch_panel_600_marine
touch_panel_600_advanced_firmware
edge_controller
touch_panel_600_advanced
touch_panel_600_standard
pfc100

CWE

CWE-863

Incorrect Authorization

NVD-CWE-noinfo

{"id": "CVE-2023-3379", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "info@cert.vde.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.8}]}, "published": "2023-11-20T08:15:44.280", "references": [{"url": "https://cert.vde.com/en/advisories/VDE-2023-015/", "tags": ["Third Party Advisory"], "source": "info@cert.vde.com"}, {"url": "https://cert.vde.com/en/advisories/VDE-2023-015/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "info@cert.vde.com", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Wago web-based management of multiple products has a vulnerability which allows an local authenticated attacker to change the passwords of other non-admin users and thus to escalate non-root privileges."}, {"lang": "es", "value": "La administraci\u00f3n de m\u00faltiples productos basada en web de Wago tiene una vulnerabilidad que permite a un atacante autenticado local cambiar las contrase\u00f1as de otros usuarios que no sean administradores y as\u00ed escalar privilegios no root."}], "lastModified": "2024-11-21T08:17:08.337", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:wago:compact_controller_100_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B6F27D52-0A31-4CE5-823B-7DA6DCF291AD", "versionEndIncluding": "25"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:wago:compact_controller_100:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "532907AF-7E4A-4065-A799-753FC3313D6C"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:wago:edge_controller_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "67EF75C3-893E-408D-B3C6-464F3C7AC27D", "versionEndIncluding": "25"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:wago:edge_controller:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "2DFC57C8-6AF4-4771-B0A0-744137FBFECF"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:wago:pfc100_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "252F9DAE-5C46-48B3-A74A-8331DE3B5189", "versionEndExcluding": "22"}, {"criteria": "cpe:2.3:o:wago:pfc100_firmware:22:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4815DFF8-0CAE-4C85-9F5B-F64C12F43AB0"}, {"criteria": "cpe:2.3:o:wago:pfc100_firmware:22:patch_1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8F71E8B5-7774-45BB-8B7D-7C38A4B90EA0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:wago:pfc100:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "8F636354-95A2-4B36-9666-1FA57F185432"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:wago:pfc200_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C741BCDD-8485-4DDC-9D51-143F1EE4824E", "versionEndExcluding": "22"}, {"criteria": "cpe:2.3:o:wago:pfc200_firmware:22:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B876DC19-0523-41DB-8BD7-1ECC09FCFA01"}, {"criteria": "cpe:2.3:o:wago:pfc200_firmware:22:patch_1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CA491C96-F0CF-4960-8F91-831E80622D5D"}, {"criteria": "cpe:2.3:o:wago:pfc200_firmware:23:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BE108CD0-B451-4ED5-83A1-CCEAACC1B40C"}, {"criteria": "cpe:2.3:o:wago:pfc200_firmware:24:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C4E45E9B-3F87-4758-8BCE-BCF79AD225DA"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:wago:pfc200:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "688A3248-7EAA-499D-A47C-A4D4900CDBD1"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:wago:touch_panel_600_advanced_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AD598E88-4682-43AD-AD12-2763B931416C", "versionEndIncluding": "25"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:wago:touch_panel_600_advanced:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A8221861-7455-41D5-B310-6AEA822B46CF"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:wago:touch_panel_600_marine_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A9018036-B119-472C-A5A3-D0253E2FA425", "versionEndIncluding": "25"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:wago:touch_panel_600_marine:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "83DEFFBC-934D-43BE-92AE-25F8EE8C1E0A"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:wago:touch_panel_600_standard_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "99BEC3AF-787E-441A-A181-A491E119295B", "versionEndIncluding": "25"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:wago:touch_panel_600_standard:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "E6D7A44C-2D95-4F69-A7DB-435B0A6F9F03"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "info@cert.vde.com"}

5.3 /10