CVE-2023-45318 - Vulnerability Details - OpenCVE

A heap-based buffer overflow vulnerability exists in the HTTP Server functionality of Weston Embedded uC-HTTP git commit 80d4004. A specially crafted network packet can lead to arbitrary code execution. An attacker can send a malicious packet to trigger this vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact total

Vendors	Products
Silabs	Gecko Platform Gecko Software Development Kit
Weston-embedded	Uc-http

Configuration 1 [-]

OR	cpe:2.3:a:silabs:gecko_software_development_kit:4.3.2.0:::::::*
	cpe:2.3:a:weston-embedded:uc-http:-:::::::*

No data.

References

Link	Providers
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1843

History

Wed, 12 Feb 2025 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Silabs gecko Software Development Kit
Weaknesses		CWE-787
CPEs		cpe:2.3:a:silabs:gecko_software_development_kit:4.3.2.0:::::::* cpe:2.3:a:weston-embedded:uc-http:-:::::::*
Vendors & Products		Silabs gecko Software Development Kit

Thu, 03 Oct 2024 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Silabs Silabs gecko Platform Weston-embedded Weston-embedded uc-http
CPEs		cpe:2.3:a:silabs:gecko_platform:::::::: cpe:2.3:a:weston-embedded:uc-http::::::::
Vendors & Products		Silabs Silabs gecko Platform Weston-embedded Weston-embedded uc-http
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: talos

Published: 2024-02-20T14:45:02.103Z

Updated: 2024-10-03T14:04:39.047Z

Reserved: 2023-10-06T20:58:14.631Z

Link: CVE-2023-45318

Vulnrichment

Updated: 2024-08-02T20:21:15.925Z

NVD

Status : Analyzed

Published: 2024-02-20T15:15:08.727

Modified: 2025-02-12T18:50:45.040

Link: CVE-2023-45318

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-45318", "assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "state": "PUBLISHED", "assignerShortName": "talos", "dateReserved": "2023-10-06T20:58:14.631Z", "datePublished": "2024-02-20T14:45:02.103Z", "dateUpdated": "2024-10-03T14:04:39.047Z"}, "containers": {"cna": {"affected": [{"vendor": "Silicon Labs", "product": "Gecko Platform", "versions": [{"version": "Silicon Labs Gecko Platform 4.3.2.0", "status": "affected"}]}, {"vendor": "Weston Embedded", "product": "uC-HTTP", "versions": [{"version": "git commit 80d4004", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A heap-based buffer overflow vulnerability exists in the HTTP Server functionality of Weston Embedded uC-HTTP git commit 80d4004. A specially crafted network packet can lead to arbitrary code execution. An attacker can send a malicious packet to trigger this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-122: Heap-based Buffer Overflow", "type": "CWE", "cweId": "CWE-122"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL"}}], "providerMetadata": {"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "shortName": "talos", "dateUpdated": "2024-02-20T18:00:06.767Z"}, "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1843", "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1843"}], "credits": [{"lang": "en", "value": "Discovered by Kelly Patterson of Cisco Talos."}]}, "adp": [{"affected": [{"vendor": "silabs", "product": "gecko_platform", "cpes": ["cpe:2.3:a:silabs:gecko_platform:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "4.3.2.0", "status": "affected"}]}, {"vendor": "weston-embedded", "product": "uc-http", "cpes": ["cpe:2.3:a:weston-embedded:uc-http:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "git commit 80d4004", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-02-20T16:31:01.592003Z", "id": "CVE-2023-45318", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-03T14:04:39.047Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:21:15.925Z"}, "title": "CVE Program Container", "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1843", "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1843", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1843", "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1843", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:21:15.925Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-45318", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-02-20T16:31:01.592003Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:silabs:gecko_platform:*:*:*:*:*:*:*:*"], "vendor": "silabs", "product": "gecko_platform", "versions": [{"status": "affected", "version": "4.3.2.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:weston-embedded:uc-http:*:*:*:*:*:*:*:*"], "vendor": "weston-embedded", "product": "uc-http", "versions": [{"status": "affected", "version": "git commit 80d4004"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-29T15:02:21.669Z"}}], "cna": {"credits": [{"lang": "en", "value": "Discovered by Kelly Patterson of Cisco Talos."}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Silicon Labs", "product": "Gecko Platform", "versions": [{"status": "affected", "version": "Silicon Labs Gecko Platform 4.3.2.0"}]}, {"vendor": "Weston Embedded", "product": "uC-HTTP", "versions": [{"status": "affected", "version": "git commit 80d4004"}]}], "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1843", "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1843"}], "descriptions": [{"lang": "en", "value": "A heap-based buffer overflow vulnerability exists in the HTTP Server functionality of Weston Embedded uC-HTTP git commit 80d4004. A specially crafted network packet can lead to arbitrary code execution. An attacker can send a malicious packet to trigger this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "CWE-122: Heap-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "shortName": "talos", "dateUpdated": "2024-02-20T18:00:06.767Z"}}}, "cveMetadata": {"cveId": "CVE-2023-45318", "state": "PUBLISHED", "dateUpdated": "2024-10-03T14:04:39.047Z", "dateReserved": "2023-10-06T20:58:14.631Z", "assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "datePublished": "2024-02-20T14:45:02.103Z", "assignerShortName": "talos"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:silabs:gecko_software_development_kit:4.3.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "630B4655-F4AA-4DAA-8127-BBC89EE6046C", "vulnerable": true}, {"criteria": "cpe:2.3:a:weston-embedded:uc-http:-:*:*:*:*:*:*:*", "matchCriteriaId": "AE7CD12C-6F8F-4347-B9BD-51C46EF0F84E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A heap-based buffer overflow vulnerability exists in the HTTP Server functionality of Weston Embedded uC-HTTP git commit 80d4004. A specially crafted network packet can lead to arbitrary code execution. An attacker can send a malicious packet to trigger this vulnerability."}, {"lang": "es", "value": "Existe una vulnerabilidad de desbordamiento de b\u00fafer de almacenamiento din\u00e1mico en la funcionalidad del servidor HTTP de Weston Embedded uC-HTTP git commit 80d4004. Un paquete de red especialmente manipulado puede provocar la ejecuci\u00f3n de c\u00f3digo arbitrario. Un atacante puede enviar un paquete malicioso para desencadenar esta vulnerabilidad."}], "id": "CVE-2023-45318", "lastModified": "2025-02-12T18:50:45.040", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "talos-cna@cisco.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-20T15:15:08.727", "references": [{"source": "talos-cna@cisco.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1843"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1843"}], "sourceIdentifier": "talos-cna@cisco.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "talos-cna@cisco.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}