CVE-2023-2186 Vulnerability Details

  /     /     /  

CVE-2023-2186 Metadata Quick Info

CVE Published: 07/06/2023 | CVE Updated: 02/08/2024 | CVE Year: 2023
Source: trellix | Vendor: Triangle MicroWorks | Product: SCADA Data Gateway
Status : PUBLISHED

CVE-2023-2186 Description

On Triangle MicroWorks\' SCADA Data Gateway version <= v5.01.03, an unauthenticated attacker can send a specially crafted broadcast message including format string characters to the SCADA Data Gateway to perform unrestricted memory reads.An unauthenticated user can use this format string vulnerability to repeatedly crash the GTWWebMonitor.exe process to DoS the Web Monitor. Furthermore, an authenticated user can leverage this vulnerability to leak memory from the GTWWebMonitor.exe process. This could be leveraged in an exploit chain to gain code execution.

Metrics

CVSS Version: 3.1 | Base Score: 8.2 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* NONE
    User Interaction (UI)* NONE
    Scope (S)* UNCHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* LOW
    Integrity Impact (I)* NONE
    Availability Impact (A)* HIGH

Weakness Enumeration (CWE)

CWE-ID: CWE-134
CWE Name: CWE-134 Use of Externally-Controlled Format String
Source: Triangle MicroWorks

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID: CAPEC-125
CAPEC Description: CAPEC-125 Flooding


Source: NVD (National Vulnerability Database).

Last added CVEs

▸ CVE-2024-9999 ◂
Discovered: 12/11/2024
Status: PUBLISHED
▸ CVE-2024-9997 ◂
Discovered: 29/10/2024
Status: PUBLISHED
▸ CVE-2024-9996 ◂
Discovered: 29/10/2024
Status: PUBLISHED



Tags:
CVE-2023-2186 Vulnerability Details