CVE-2023-3243

EPSS 0.15%
Published 28.06.2023 21:15:10
Last modified 21.11.2024 08:16:47
Source psirt@honeywell.com
Teams watchlist Login
Open Login

** UNSUPPORTED WHEN ASSIGNED ** [An attacker can capture an authenticating hash
and utilize it to create new sessions. The hash is also a poorly salted MD5
hash, which could result in a successful brute force password attack. Impacted product is BCM-WEB version 3.3.X. Recommended fix:  Upgrade to a supported product such
as Alerton
ACM.] Out of an abundance of caution, this CVE ID is being assigned to 
better serve our customers and ensure all who are still running this product understand 
that the product is end of life and should be removed or upgraded.

Affected products Warnungen 0 Metrics 3 CWE 2 References 4

Data is provided by the National Vulnerability Database (NVD)

Honeywell ≫ Alerton Bcm-web Firmware Version-

Honeywell ≫ Alerton Bcm-web Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.15%	0.359

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
psirt@honeywell.com	8.3	2.8	5.5	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CWE-290 Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

CWE-326 Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

https://www.honeywell.com/us/en/product-security

Not Applicable

https://nvd.nist.gov/vuln/detail/CVE-2023-3243

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-3243

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-3243

EUVD