CVE-2023-28900 - Vulnerability Details - OpenCVE

The Skoda Automotive cloud contains a Broken Access Control vulnerability, allowing to obtain nicknames and other user identifiers of Skoda Connect service users by specifying an arbitrary vehicle VIN number.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Skoda-auto	Skoda Connect

Configuration 1 [-]

cpe:2.3:a:skoda-auto:skoda_connect:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://asrg.io/security-advisories/cve-2023-28900

History

No history.

MITRE

Status: PUBLISHED

Assigner: ASRG

Published: 2024-01-18T16:23:07.819Z

Updated: 2024-08-02T13:51:39.125Z

Reserved: 2023-03-27T14:51:13.968Z

Link: CVE-2023-28900

Vulnrichment

No data.

NVD

Status : Modified

Published: 2024-01-18T17:15:13.737

Modified: 2024-11-21T07:56:14.617

Link: CVE-2023-28900

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-28900", "assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba", "state": "PUBLISHED", "assignerShortName": "ASRG", "dateReserved": "2023-03-27T14:51:13.968Z", "datePublished": "2024-01-18T16:23:07.819Z", "dateUpdated": "2024-08-02T13:51:39.125Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "\u0160koda Connect", "vendor": "\u0160koda Auto", "versions": [{"status": "affected", "version": "0"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Anna Breeva (PCAutomotive)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The Skoda Automotive cloud contains a Broken Access Control vulnerability, allowing to obtain nicknames and other user identifiers of Skoda Connect service users by specifying an arbitrary vehicle VIN number."}], "value": "The Skoda Automotive cloud contains a Broken Access Control vulnerability, allowing to obtain nicknames and other user identifiers of Skoda Connect service users by specifying an arbitrary vehicle VIN number."}], "impacts": [{"capecId": "CAPEC-116", "descriptions": [{"lang": "en", "value": "CAPEC-116 Excavation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba", "shortName": "ASRG", "dateUpdated": "2024-01-18T16:23:07.819Z"}, "references": [{"url": "https://asrg.io/security-advisories/cve-2023-28900"}], "source": {"discovery": "EXTERNAL"}, "title": "Nickname Disclosure on the Backend Automotive Server", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T13:51:39.125Z"}, "title": "CVE Program Container", "references": [{"url": "https://asrg.io/security-advisories/cve-2023-28900", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:skoda-auto:skoda_connect:-:*:*:*:*:*:*:*", "matchCriteriaId": "52F83D74-D8F0-4D6C-B382-6E1ECE9373AF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Skoda Automotive cloud contains a Broken Access Control vulnerability, allowing to obtain nicknames and other user identifiers of Skoda Connect service users by specifying an arbitrary vehicle VIN number."}, {"lang": "es", "value": "La nube de Skoda Automotive contiene una vulnerabilidad de control de acceso roto, que permite obtener apodos y otros identificadores de usuario de los usuarios del servicio Skoda Connect especificando un n\u00famero VIN arbitrario del veh\u00edculo."}], "id": "CVE-2023-28900", "lastModified": "2024-11-21T07:56:14.617", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cve@asrg.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-18T17:15:13.737", "references": [{"source": "cve@asrg.io", "tags": ["Third Party Advisory"], "url": "https://asrg.io/security-advisories/cve-2023-28900"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://asrg.io/security-advisories/cve-2023-28900"}], "sourceIdentifier": "cve@asrg.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "cve@asrg.io", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}