CVE-2023-41967 (GCVE-0-2023-41967)
Vulnerability from cvelistv5
Published
2023-12-18 22:00
Modified
2024-08-02 19:09
Severity ?
2.4 (Low) - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE
  • CWE-1272 - Sensitive Information Uncleared Before Debug/Power State Transition
Summary
Sensitive information uncleared after debug/power state transition in the Controller 6000 could be abused by an attacker with knowledge of the Controller's default diagnostic password and physical access to the Controller to view its configuration through the diagnostic web pages. This issue affects: Gallagher Controller 6000 8.70 prior to vCR8.70.231204a (distributed in 8.70.2375 (MR5)), v8.60 or earlier.
References
Impacted products
Vendor Product Version
Gallagher Controller 6000 Version: 0   <
Version: 8.70   < vCR8.70.231204a
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T19:09:49.372Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.gallagher.com/Security-Advisories/CVE-2023-41967"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Controller 6000",
          "vendor": "Gallagher",
          "versions": [
            {
              "lessThanOrEqual": "8.60",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "vCR8.70.231204a",
              "status": "affected",
              "version": "8.70",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSensitive information uncleared after debug/power state transition in the Controller 6000 could be abused by an attacker with knowledge of the Controller\u0027s default diagnostic password and physical access to the Controller to view its configuration through the diagnostic web pages. \u003cbr\u003e\u003cbr\u003eThis issue affects: Gallagher Controller 6000 \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e8.70 prior to vCR8.70.231204a (distributed in 8.70.2375 (MR5)), \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ev8.60 or earlier.\u003c/span\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "\nSensitive information uncleared after debug/power state transition in the Controller 6000 could be abused by an attacker with knowledge of the Controller\u0027s default diagnostic password and physical access to the Controller to view its configuration through the diagnostic web pages. \n\nThis issue affects: Gallagher Controller 6000 8.70 prior to vCR8.70.231204a (distributed in 8.70.2375 (MR5)), v8.60 or earlier.\n\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "NONE",
            "baseScore": 2.4,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1272",
              "description": "CWE-1272: Sensitive Information Uncleared Before Debug/Power State Transition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-18T22:00:38.751Z",
        "orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
        "shortName": "Gallagher"
      },
      "references": [
        {
          "url": "https://security.gallagher.com/Security-Advisories/CVE-2023-41967"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
    "assignerShortName": "Gallagher",
    "cveId": "CVE-2023-41967",
    "datePublished": "2023-12-18T22:00:38.751Z",
    "dateReserved": "2023-11-01T22:24:52.305Z",
    "dateUpdated": "2024-08-02T19:09:49.372Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-41967\",\"sourceIdentifier\":\"disclosures@gallagher.com\",\"published\":\"2023-12-18T22:15:08.770\",\"lastModified\":\"2024-11-21T08:22:00.680\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"\\nSensitive information uncleared after debug/power state transition in the Controller 6000 could be abused by an attacker with knowledge of the Controller\u0027s default diagnostic password and physical access to the Controller to view its configuration through the diagnostic web pages. \\n\\nThis issue affects: Gallagher Controller 6000 8.70 prior to vCR8.70.231204a (distributed in 8.70.2375 (MR5)), v8.60 or earlier.\\n\\n\\n\"},{\"lang\":\"es\",\"value\":\"Un atacante con conocimiento de la contrase\u00f1a de diagn\u00f3stico predeterminada de Controller 6000 y acceso f\u00edsico al Controlador para ver su configuraci\u00f3n a trav\u00e9s de las p\u00e1ginas web de diagn\u00f3stico podr\u00eda abusar de la informaci\u00f3n confidencial no borrada despu\u00e9s de la transici\u00f3n del estado de depuraci\u00f3n/encendido en el Controlador. Este problema afecta a: Gallagher Controller 6000 8.70 anterior a vCR8.70.231204a (distribuido en 8.70.2375 (MR5)), v8.60 o anterior.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"disclosures@gallagher.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":2.4,\"baseSeverity\":\"LOW\",\"attackVector\":\"PHYSICAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.9,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":4.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"PHYSICAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"disclosures@gallagher.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1272\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-212\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:gallagher:controller_6000_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"8.60\",\"matchCriteriaId\":\"E5B756DF-6D8A-4B89-9DAB-3EBD00C75E3A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:gallagher:controller_6000_firmware:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.70\",\"versionEndExcluding\":\"8.70.231204a\",\"matchCriteriaId\":\"30EEB0FF-D2F2-47DA-9666-6532730B195F\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:gallagher:controller_6000:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5AF2B03B-B033-439F-8CEE-334FA8053278\"}]}]}],\"references\":[{\"url\":\"https://security.gallagher.com/Security-Advisories/CVE-2023-41967\",\"source\":\"disclosures@gallagher.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://security.gallagher.com/Security-Advisories/CVE-2023-41967\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.