CVE-2023-4088 - Vulnerability Details - OpenCVE

Incorrect Default Permissions vulnerability in Mitsubishi Electric Corporation multiple FA engineering software products allows a malicious local attacker to execute a malicious code, resulting in information disclosure, tampering with and deletion, or a denial-of-service (DoS) condition, if the product is installed in a folder other than the default installation folder.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Mitsubishielectric	Gx Works3

Configuration 1 [-]

cpe:2.3:a:mitsubishielectric:gx_works3:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://jvn.jp/vu/JVNVU96447193/index.html
https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-03
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-010_en.pdf

History

Tue, 24 Sep 2024 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Mitsubishi

Published: 2023-09-20T02:26:43.901Z

Updated: 2024-09-24T18:27:11.655Z

Reserved: 2023-08-02T04:52:49.923Z

Link: CVE-2023-4088

Vulnrichment

Updated: 2024-08-02T07:17:12.060Z

NVD

Status : Modified

Published: 2023-09-20T03:15:13.687

Modified: 2024-11-21T08:34:21.840

Link: CVE-2023-4088

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-4088", "assignerOrgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", "state": "PUBLISHED", "assignerShortName": "Mitsubishi", "dateReserved": "2023-08-02T04:52:49.923Z", "datePublished": "2023-09-20T02:26:43.901Z", "dateUpdated": "2024-09-24T18:27:11.655Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "GX Works3", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "AL-PCS/WIN-E", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "CPU Module Logging Configuration Tool", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "EZSocket", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "FR Configurator2", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "FX Configurator-EN", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "FX Configurator-EN-L", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "FX Configurator-FP", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "GT Designer3 Version1(GOT1000)", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "GT Designer3 Version1(GOT2000)", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "GT SoftGOT1000 Version3", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "GT SoftGOT2000 Version1", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "GX LogViewer", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "GX Works2", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "MELSOFT FieldDeviceConfigurator", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "MELSOFT iQ AppPortal", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "MELSOFT MaiLab", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "MELSOFT Navigator", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "MELSOFT Update Manager", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "MX Component", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "MX Sheet", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "PX Developer", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "RT ToolBox3", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "RT VisualBox", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "Data Transfer", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}, {"defaultStatus": "unaffected", "product": "Data Transfer Classic", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "all versions"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Incorrect Default Permissions vulnerability in Mitsubishi Electric Corporation multiple FA engineering software products allows a malicious local attacker to execute a malicious code, resulting in information disclosure, tampering with and deletion, or a denial-of-service (DoS) condition, if the product is installed in a folder other than the default installation folder."}], "value": "Incorrect Default Permissions vulnerability in Mitsubishi Electric Corporation multiple FA engineering software products allows a malicious local attacker to execute a malicious code, resulting in information disclosure, tampering with and deletion, or a denial-of-service (DoS) condition, if the product is installed in a folder other than the default installation folder."}], "impacts": [{"descriptions": [{"lang": "en", "value": "Malicious Code Execution"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-276", "description": "CWE-276 Incorrect Default Permissions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", "shortName": "Mitsubishi", "dateUpdated": "2024-07-04T09:16:28.950Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-010_en.pdf"}, {"tags": ["government-resource"], "url": "https://jvn.jp/vu/JVNVU96447193/index.html"}, {"tags": ["government-resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-03"}], "source": {"discovery": "UNKNOWN"}, "title": "Malicious Code Execution Vulnerability in FA Engineering Software Products", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:17:12.060Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-010_en.pdf"}, {"tags": ["government-resource", "x_transferred"], "url": "https://jvn.jp/vu/JVNVU96447193/index.html"}, {"tags": ["government-resource", "x_transferred"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-03"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-24T18:27:00.307770Z", "id": "CVE-2023-4088", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-24T18:27:11.655Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-010_en.pdf", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://jvn.jp/vu/JVNVU96447193/index.html", "tags": ["government-resource", "x_transferred"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-03", "tags": ["government-resource", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:17:12.060Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-4088", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-24T18:27:00.307770Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-24T18:27:06.570Z"}}], "cna": {"title": "Malicious Code Execution Vulnerability in FA Engineering Software Products", "source": {"discovery": "UNKNOWN"}, "impacts": [{"descriptions": [{"lang": "en", "value": "Malicious Code Execution"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "LOCAL", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mitsubishi Electric Corporation", "product": "GX Works3", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Mitsubishi Electric Corporation", "product": "AL-PCS/WIN-E", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Mitsubishi Electric Corporation", "product": "CPU Module Logging Configuration Tool", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Mitsubishi Electric Corporation", "product": "EZSocket", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Mitsubishi Electric Corporation", "product": "FR Configurator2", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Mitsubishi Electric Corporation", "product": "FX Configurator-EN", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Mitsubishi Electric Corporation", "product": "FX Configurator-EN-L", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Mitsubishi Electric Corporation", "product": "FX Configurator-FP", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Mitsubishi Electric Corporation", "product": "GT Designer3 Version1(GOT1000)", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Mitsubishi Electric Corporation", "product": "GT Designer3 Version1(GOT2000)", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Mitsubishi Electric Corporation", "product": "GT SoftGOT1000 Version3", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Mitsubishi Electric Corporation", "product": "GT SoftGOT2000 Version1", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Mitsubishi Electric Corporation", "product": "GX LogViewer", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Mitsubishi Electric Corporation", "product": "GX Works2", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Mitsubishi Electric Corporation", "product": "MELSOFT FieldDeviceConfigurator", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Mitsubishi Electric Corporation", "product": "MELSOFT iQ AppPortal", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Mitsubishi Electric Corporation", "product": "MELSOFT MaiLab", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Mitsubishi Electric Corporation", "product": "MELSOFT Navigator", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Mitsubishi Electric Corporation", "product": "MELSOFT Update Manager", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Mitsubishi Electric Corporation", "product": "MX Component", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Mitsubishi Electric Corporation", "product": "MX Sheet", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Mitsubishi Electric Corporation", "product": "PX Developer", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Mitsubishi Electric Corporation", "product": "RT ToolBox3", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Mitsubishi Electric Corporation", "product": "RT VisualBox", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Mitsubishi Electric Corporation", "product": "Data Transfer", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}, {"vendor": "Mitsubishi Electric Corporation", "product": "Data Transfer Classic", "versions": [{"status": "affected", "version": "all versions"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-010_en.pdf", "tags": ["vendor-advisory"]}, {"url": "https://jvn.jp/vu/JVNVU96447193/index.html", "tags": ["government-resource"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-03", "tags": ["government-resource"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Incorrect Default Permissions vulnerability in Mitsubishi Electric Corporation multiple FA engineering software products allows a malicious local attacker to execute a malicious code, resulting in information disclosure, tampering with and deletion, or a denial-of-service (DoS) condition, if the product is installed in a folder other than the default installation folder.", "supportingMedia": [{"type": "text/html", "value": "Incorrect Default Permissions vulnerability in Mitsubishi Electric Corporation multiple FA engineering software products allows a malicious local attacker to execute a malicious code, resulting in information disclosure, tampering with and deletion, or a denial-of-service (DoS) condition, if the product is installed in a folder other than the default installation folder.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-276", "description": "CWE-276 Incorrect Default Permissions"}]}], "providerMetadata": {"orgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", "shortName": "Mitsubishi", "dateUpdated": "2024-07-04T09:16:28.950Z"}}}, "cveMetadata": {"cveId": "CVE-2023-4088", "state": "PUBLISHED", "dateUpdated": "2024-09-24T18:27:11.655Z", "dateReserved": "2023-08-02T04:52:49.923Z", "assignerOrgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", "datePublished": "2023-09-20T02:26:43.901Z", "assignerShortName": "Mitsubishi"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mitsubishielectric:gx_works3:*:*:*:*:*:*:*:*", "matchCriteriaId": "F4AEDEEE-5070-41E2-B4DC-6DE8456BC028", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Incorrect Default Permissions vulnerability in Mitsubishi Electric Corporation multiple FA engineering software products allows a malicious local attacker to execute a malicious code, resulting in information disclosure, tampering with and deletion, or a denial-of-service (DoS) condition, if the product is installed in a folder other than the default installation folder."}, {"lang": "es", "value": "Vulnerabilidad de Permisos Predeterminados Incorrectos debido a una soluci\u00f3n incompleta para abordar CVE-2020-14496 en los productos de software de ingenier\u00eda de Mitsubishi Electric Corporation FA permite que un atacante local malicioso ejecute un c\u00f3digo malicioso, lo que podr\u00eda resultar en la divulgaci\u00f3n, manipulaci\u00f3n y eliminaci\u00f3n de informaci\u00f3n, o una condici\u00f3n de denegaci\u00f3n fuera de servicio (DoS). Sin embargo, si la versi\u00f3n mitigada descrita en el aviso para CVE-2020-14496 se utiliza y se instala en la carpeta de instalaci\u00f3n predeterminada, esta vulnerabilidad no afecta a los productos."}], "id": "CVE-2023-4088", "lastModified": "2024-11-21T08:34:21.840", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 6.0, "source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-20T03:15:13.687", "references": [{"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "url": "https://jvn.jp/vu/JVNVU96447193/index.html"}, {"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-03"}, {"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "tags": ["Vendor Advisory"], "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-010_en.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://jvn.jp/vu/JVNVU96447193/index.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-03"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-010_en.pdf"}], "sourceIdentifier": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-276"}], "source": "nvd@nist.gov", "type": "Primary"}]}