Dataprobe iBoot-PDU up to 1.43.03312023 REST API authentication by alternate name
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.4 | $0-$5k | 0.00 |
Summary
A vulnerability identified as problematic has been detected in Dataprobe iBoot-PDU up to 1.43.03312023. The impacted element is an unknown function of the component REST API. Performing a manipulation results in authentication by alternate name. This vulnerability is reported as CVE-2023-3263. The attack is possible to be carried out remotely. No exploit exists.
Details
A vulnerability was found in Dataprobe iBoot-PDU up to 1.43.03312023. It has been classified as problematic. This affects some unknown functionality of the component REST API. The manipulation with an unknown input leads to a authentication by alternate name vulnerability. CWE is classifying the issue as CWE-289. The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor. This is going to have an impact on confidentiality. The summary by CVE is:
The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier is vulnerable to authentication bypass in the REST API due to the mishandling of special characters when parsing credentials.Successful exploitation allows the malicious agent to obtain a valid authorization token and read information relating to the state of the relays and power distribution.
The weakness was disclosed 08/14/2023. The advisory is shared at trellix.com. This vulnerability is uniquely identified as CVE-2023-3263 since 06/15/2023. Neither technical details nor an exploit are publicly available.
There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Product
Vendor
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.4VulDB Meta Temp Score: 6.4
VulDB Base Score: 5.3
VulDB Temp Score: 5.3
VulDB Vector: 🔍
VulDB Reliability: 🔍
CNA Base Score: 7.5
CNA Vector (Trellix): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Authentication by alternate nameCWE: CWE-289 / CWE-287
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: no mitigation knownStatus: 🔍
0-Day Time: 🔍
Timeline
06/15/2023 🔍08/14/2023 🔍
08/14/2023 🔍
08/14/2023 🔍
Sources
Advisory: trellix.comStatus: Not defined
CVE: CVE-2023-3263 (🔍)
GCVE (CVE): GCVE-0-2023-3263
GCVE (VulDB): GCVE-100-237057
Entry
Created: 08/14/2023 08:16Changes: 08/14/2023 08:16 (47)
Complete: 🔍
Cache ID: 216::103
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
No comments yet. Languages: en.
Please log in to comment.