CVE-2023-51593 - Vulnerability Details - OpenCVE

Voltronic Power ViewPower Pro Expression Language Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Struts2 dependency. The issue results from the use of a library that is vulnerable to expression language injection. An attacker can leverage this vulnerability to execute code in the context of LOCAL SERVICE. Was ZDI-CAN-22095.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://www.zerodayinitiative.com/advisories/ZDI-23-1896/

History

No history.

MITRE

Status: PUBLISHED

Assigner: zdi

Published: 2024-05-03T02:15:22.331Z

Updated: 2024-08-02T22:40:32.588Z

Reserved: 2023-12-20T20:38:20.870Z

Link: CVE-2023-51593

Vulnrichment

Updated: 2024-08-02T22:40:32.588Z

NVD

Status : Awaiting Analysis

Published: 2024-05-03T03:16:19.913

Modified: 2024-11-21T08:38:27.030

Link: CVE-2023-51593

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-51593", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "state": "PUBLISHED", "assignerShortName": "zdi", "dateReserved": "2023-12-20T20:38:20.870Z", "datePublished": "2024-05-03T02:15:22.331Z", "dateUpdated": "2024-08-02T22:40:32.588Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2024-05-03T02:15:22.331Z"}, "title": "Voltronic Power ViewPower Pro Expression Language Injection Remote Code Execution Vulnerability", "descriptions": [{"lang": "en", "value": "Voltronic Power ViewPower Pro Expression Language Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the Struts2 dependency. The issue results from the use of a library that is vulnerable to expression language injection. An attacker can leverage this vulnerability to execute code in the context of LOCAL SERVICE. Was ZDI-CAN-22095."}], "affected": [{"vendor": "Voltronic Power", "product": "ViewPower Pro", "versions": [{"version": "2.0-22165", "status": "affected"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-917", "description": "CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", "type": "CWE"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1896/", "name": "ZDI-23-1896", "tags": ["x_research-advisory"]}], "dateAssigned": "2023-12-20T14:45:49.384-06:00", "datePublic": "2023-12-20T17:09:42.581-06:00", "source": {"lang": "en", "value": "06fe5fd2bc53027c4a3b7e395af0b850e7b8a044"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}]}, "adp": [{"affected": [{"vendor": "voltronic_power", "product": "viewpower_pro", "cpes": ["cpe:2.3:a:voltronic_power:viewpower_pro:2.0-22165:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.0-22165", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-05-03T19:00:47.317589Z", "id": "CVE-2023-51593", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-23T17:12:45.675Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:40:32.588Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1896/", "name": "ZDI-23-1896", "tags": ["x_research-advisory", "x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1896/", "name": "ZDI-23-1896", "tags": ["x_research-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:40:32.588Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-51593", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-03T19:00:47.317589Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:voltronic_power:viewpower_pro:2.0-22165:*:*:*:*:*:*:*"], "vendor": "voltronic_power", "product": "viewpower_pro", "versions": [{"status": "affected", "version": "2.0-22165"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-03T19:01:19.980Z"}}], "cna": {"title": "Voltronic Power ViewPower Pro Expression Language Injection Remote Code Execution Vulnerability", "source": {"lang": "en", "value": "06fe5fd2bc53027c4a3b7e395af0b850e7b8a044"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "Voltronic Power", "product": "ViewPower Pro", "versions": [{"status": "affected", "version": "2.0-22165"}], "defaultStatus": "unknown"}], "datePublic": "2023-12-20T17:09:42.581-06:00", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1896/", "name": "ZDI-23-1896", "tags": ["x_research-advisory"]}], "dateAssigned": "2023-12-20T14:45:49.384-06:00", "descriptions": [{"lang": "en", "value": "Voltronic Power ViewPower Pro Expression Language Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the Struts2 dependency. The issue results from the use of a library that is vulnerable to expression language injection. An attacker can leverage this vulnerability to execute code in the context of LOCAL SERVICE. Was ZDI-CAN-22095."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-917", "description": "CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')"}]}], "providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2024-05-03T02:15:22.331Z"}}}, "cveMetadata": {"cveId": "CVE-2023-51593", "state": "PUBLISHED", "dateUpdated": "2024-08-02T22:40:32.588Z", "dateReserved": "2023-12-20T20:38:20.870Z", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "datePublished": "2024-05-03T02:15:22.331Z", "assignerShortName": "zdi"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "Voltronic Power ViewPower Pro Expression Language Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the Struts2 dependency. The issue results from the use of a library that is vulnerable to expression language injection. An attacker can leverage this vulnerability to execute code in the context of LOCAL SERVICE. Was ZDI-CAN-22095."}, {"lang": "es", "value": "Vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo de inyecci\u00f3n de lenguaje de expresi\u00f3n Voltronic Power ViewPower Pro. Esta vulnerabilidad permite a atacantes remotos ejecutar c\u00f3digo arbitrario en instalaciones afectadas de Voltronic Power ViewPower Pro. No se requiere autenticaci\u00f3n para aprovechar esta vulnerabilidad. La falla espec\u00edfica existe dentro de la dependencia de Struts2. El problema se debe al uso de una librer\u00eda que es vulnerable a la inyecci\u00f3n de lenguaje de expresi\u00f3n. Un atacante puede aprovechar esta vulnerabilidad para ejecutar c\u00f3digo en el contexto de LOCAL SERVICE. Era ZDI-CAN-22095."}], "id": "CVE-2023-51593", "lastModified": "2024-11-21T08:38:27.030", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}]}, "published": "2024-05-03T03:16:19.913", "references": [{"source": "zdi-disclosures@trendmicro.com", "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1896/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1896/"}], "sourceIdentifier": "zdi-disclosures@trendmicro.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-917"}], "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}]}