9.8

CVE-2023-5719

The Crimson 3.2 Windows-based configuration tool allows users with administrative access to define new passwords for users and to download the resulting security configuration to a device. If such a password contains the percent (%) character, invalid values will be included, potentially truncating the string if a NUL is encountered. If the simplified password is not detected by the administrator, the device might be left in a vulnerable state as a result of more-easily compromised credentials. Note that passwords entered via the Crimson system web server do not suffer from this vulnerability.

Data is provided by the National Vulnerability Database (NVD)
RedlionCrimson Version < 3.2
   RedlionDa50a Version-
   RedlionDa70a Version-
RedlionCrimson Version3.2 Updatebuild_3.2.0008.0
   RedlionDa50a Version-
   RedlionDa70a Version-
RedlionCrimson Version3.2 Updatebuild_3.2.0014.0
   RedlionDa50a Version-
   RedlionDa70a Version-
RedlionCrimson Version3.2 Updatebuild_3.2.0015.0
   RedlionDa50a Version-
   RedlionDa70a Version-
RedlionCrimson Version3.2 Updatebuild_3.2.0016.0
   RedlionDa50a Version-
   RedlionDa70a Version-
RedlionCrimson Version3.2 Updatebuild_3.2.0020.0
   RedlionDa50a Version-
   RedlionDa70a Version-
RedlionCrimson Version3.2 Updatebuild_3.2.0021.0
   RedlionDa50a Version-
   RedlionDa70a Version-
RedlionCrimson Version3.2 Updatebuild_3.2.0025.0
   RedlionDa50a Version-
   RedlionDa70a Version-
RedlionCrimson Version3.2 Updatebuild_3.2.0026.0
   RedlionDa50a Version-
   RedlionDa70a Version-
RedlionCrimson Version3.2 Updatebuild_3.2.0030.0
   RedlionDa50a Version-
   RedlionDa70a Version-
RedlionCrimson Version3.2 Updatebuild_3.2.0031.0
   RedlionDa50a Version-
   RedlionDa70a Version-
RedlionCrimson Version3.2 Updatebuild_3.2.0035.0
   RedlionDa50a Version-
   RedlionDa70a Version-
RedlionCrimson Version3.2 Updatebuild_3.2.0036.0
   RedlionDa50a Version-
   RedlionDa70a Version-
RedlionCrimson Version3.2 Updatebuild_3.2.0040.0
   RedlionDa50a Version-
   RedlionDa70a Version-
RedlionCrimson Version3.2 Updatebuild_3.2.0041.0
   RedlionDa50a Version-
   RedlionDa70a Version-
RedlionCrimson Version3.2 Updatebuild_3.2.0044.0
   RedlionDa50a Version-
   RedlionDa70a Version-
RedlionCrimson Version3.2 Updatebuild_3.2.0047.0
   RedlionDa50a Version-
   RedlionDa70a Version-
RedlionCrimson Version3.2 Updatebuild_3.2.0050.0
   RedlionDa50a Version-
   RedlionDa70a Version-
RedlionCrimson Version3.2 Updatebuild_3.2.0051.0
   RedlionDa50a Version-
   RedlionDa70a Version-
RedlionCrimson Version3.2 Updatebuild_3.2.0053.0
   RedlionDa50a Version-
   RedlionDa70a Version-
RedlionCrimson Version3.2 Updatebuild_3.2.0053.1
   RedlionDa50a Version-
   RedlionDa70a Version-
RedlionCrimson Version3.2 Updatebuild_3.2.0053.18
   RedlionDa50a Version-
   RedlionDa70a Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.09% 0.269
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ics-cert@hq.dhs.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-158 Improper Neutralization of Null Byte or NUL Character

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.

https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-01
Third Party Advisory
US Government Resource