CVE-2023-29121 - Vulnerability Details - OpenCVE

Waybox Enel TCF Agent service could be used to get administrator’s privileges over the Waybox system.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Enel X	Juicebox Pro3.0 22kw Cellular
Enelx	Waybox Pro Waybox Pro Firmware

Configuration 1 [-]

AND

cpe:2.3:o:enelx:waybox_pro_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:enelx:waybox_pro:3.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://support-emobility.enelx.com/content/dam/enelxmobility/italia/documenti/manuali-schede-tecniche/Waybox-3-Security-Bulletin-06-2024-V1.pdf

History

Fri, 08 Nov 2024 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Enelx Enelx waybox Pro Enelx waybox Pro Firmware
Weaknesses		NVD-CWE-Other
CPEs		cpe:2.3:h:enelx:waybox_pro:3.0:::::::* cpe:2.3:o:enelx:waybox_pro_firmware::::::::
Vendors & Products		Enelx Enelx waybox Pro Enelx waybox Pro Firmware

Tue, 05 Nov 2024 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Enel X Enel X juicebox Pro3.0 22kw Cellular
CPEs		cpe:2.3:a:enel_x:juicebox_pro3.0_22kw_cellular::::::::
Vendors & Products		Enel X Enel X juicebox Pro3.0 22kw Cellular
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 05 Nov 2024 15:45:00 +0000

Type	Values Removed	Values Added
Description		Waybox Enel TCF Agent service could be used to get administrator’s privileges over the Waybox system.
Title		Exposed TCF agent service in Enel X Juicebox
Weaknesses		CWE-284
References		https://support-emobility.enelx.com/content/dam/enelxmobility/italia/documenti/manuali-schede-tecniche/Waybox-3-Security-Bulletin-06-2024-V1.pdf
Metrics		cvssV3_1 `{'score': 9.6, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: ASRG

Published: 2024-11-05T15:23:41.624Z

Updated: 2024-11-05T17:11:16.250Z

Reserved: 2023-03-31T10:22:52.667Z

Link: CVE-2023-29121

Vulnrichment

Updated: 2024-11-05T17:11:04.568Z

NVD

Status : Analyzed

Published: 2024-11-05T16:15:16.377

Modified: 2024-11-08T16:09:28.403

Link: CVE-2023-29121

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-29121", "assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba", "state": "PUBLISHED", "assignerShortName": "ASRG", "dateReserved": "2023-03-31T10:22:52.667Z", "datePublished": "2024-11-05T15:23:41.624Z", "dateUpdated": "2024-11-05T17:11:16.250Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["Public Service"], "product": "JuiceBox Pro 3.0 22kW Cellular", "vendor": "Enel X", "versions": [{"lessThanOrEqual": "2.1.1.0_JB3VU096A", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Abdellah Benotsmane (PCAutomotive)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Waybox Enel TCF Agent service could be used to get administrator\u2019s privileges over the Waybox system."}], "value": "Waybox Enel TCF Agent service could be used to get administrator\u2019s privileges over the Waybox system."}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba", "shortName": "ASRG", "dateUpdated": "2024-11-05T15:23:41.624Z"}, "references": [{"url": "https://support-emobility.enelx.com/content/dam/enelxmobility/italia/documenti/manuali-schede-tecniche/Waybox-3-Security-Bulletin-06-2024-V1.pdf"}], "source": {"discovery": "EXTERNAL"}, "title": "Exposed TCF agent service in Enel X Juicebox", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "enel_x", "product": "juicebox_pro3.0_22kw_cellular", "cpes": ["cpe:2.3:a:enel_x:juicebox_pro3.0_22kw_cellular:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.1.0_JB3VU096A", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-05T17:11:11.823183Z", "id": "CVE-2023-29121", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-05T17:11:16.250Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-29121", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-11-05T17:11:11.823183Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:enel_x:juicebox_pro3.0_22kw_cellular:*:*:*:*:*:*:*:*"], "vendor": "enel_x", "product": "juicebox_pro3.0_22kw_cellular", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.1.1.0_JB3VU096A"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-05T17:11:04.568Z"}}], "cna": {"title": "Exposed TCF agent service in Enel X Juicebox", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Abdellah Benotsmane (PCAutomotive)"}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Enel X", "modules": ["Public Service"], "product": "JuiceBox Pro 3.0 22kW Cellular", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.1.1.0_JB3VU096A"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://support-emobility.enelx.com/content/dam/enelxmobility/italia/documenti/manuali-schede-tecniche/Waybox-3-Security-Bulletin-06-2024-V1.pdf"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Waybox Enel TCF Agent service could be used to get administrator\u2019s privileges over the Waybox system.", "supportingMedia": [{"type": "text/html", "value": "Waybox Enel TCF Agent service could be used to get administrator\u2019s privileges over the Waybox system.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba", "shortName": "ASRG", "dateUpdated": "2024-11-05T15:23:41.624Z"}}}, "cveMetadata": {"cveId": "CVE-2023-29121", "state": "PUBLISHED", "dateUpdated": "2024-11-05T17:11:16.250Z", "dateReserved": "2023-03-31T10:22:52.667Z", "assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba", "datePublished": "2024-11-05T15:23:41.624Z", "assignerShortName": "ASRG"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:enelx:waybox_pro_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B7B70D3C-2FBD-4BEA-8ADB-0712CBC60CDE", "versionEndExcluding": "2.1.1.0_jb3vu096a", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:enelx:waybox_pro:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "B4793B11-455A-4C29-A1EC-22CE8DDFEDCF", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Waybox Enel TCF Agent service could be used to get administrator\u2019s privileges over the Waybox system."}, {"lang": "es", "value": " El servicio Waybox Enel TCF Agent se puede utilizar para obtener privilegios de administrador en el sistema Waybox."}], "id": "CVE-2023-29121", "lastModified": "2024-11-08T16:09:28.403", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "cve@asrg.io", "type": "Secondary"}]}, "published": "2024-11-05T16:15:16.377", "references": [{"source": "cve@asrg.io", "tags": ["Vendor Advisory"], "url": "https://support-emobility.enelx.com/content/dam/enelxmobility/italia/documenti/manuali-schede-tecniche/Waybox-3-Security-Bulletin-06-2024-V1.pdf"}], "sourceIdentifier": "cve@asrg.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "cve@asrg.io", "type": "Secondary"}]}