Lucene search

IcscertCVELIST:CVE-2023-49617

HistoryFeb 01, 2024 - 10:26 p.m.

CVE-2023-49617 MachineSense FeverWarn Missing Authentication for Critical Function

2024-02-0122:26:29

CWE-306

icscert

www.cve.org

machinesense

api

authentication

vulnerability

remote attacker

sensitive information

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

9.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

43.0%

JSON

The MachineSense application programmable interface (API) is improperly protected and can be accessed without authentication. A remote attacker could retrieve and modify sensitive information without any authentication.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "FeverWarn",
    "vendor": "MachineSense",
    "versions": [
      {
        "status": "affected",
        "version": "ESP32"
      },
      {
        "status": "affected",
        "version": "RaspberryPi"
      },
      {
        "status": "affected",
        "version": "DataHub RaspberryPi"
      }
    ]
  }
]

References

machinesense.com/pages/about-machinesense

www.cisa.gov/news-events/ics-advisories/icsa-24-025-01

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

9.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

43.0%

JSON

Related for CVELIST:CVE-2023-49617