CVE-2023-46723

lte-pic32-writer is a writer for PIC32 devices. In versions 0.0.1 and prior, those who use `sendto.txt` are vulnerable to attackers who known the IMEI reading the sendto.txt. The sendto.txt file can contain the SNS(such as slack and zulip) URL and API key. As of time of publication, a patch is not yet available. As workarounds, avoid using `sendto.txt` or use `.htaccess` to block access to `sendto.txt`.

CVSS v3 8.9 HIGH

8.9^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/paijp/lte-pic32-writer/security/advisories/GHSA-9qgg-ph2v-v4mh	Vendor Advisory
https://github.com/paijp/lte-pic32-writer/security/advisories/GHSA-9qgg-ph2v-v4mh	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:pajip:lte-pic32-writer:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:29

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~7.5~~	v2 : unknown v3 : 8.9
References	~~() https://github.com/paijp/lte-pic32-writer/security/advisories/GHSA-9qgg-ph2v-v4mh - Vendor Advisory~~	() https://github.com/paijp/lte-pic32-writer/security/advisories/GHSA-9qgg-ph2v-v4mh - Vendor Advisory

08 Nov 2023, 17:54

Type	Values Removed	Values Added
First Time		Pajip lte-pic32-writer Pajip
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~(MISC) https://github.com/paijp/lte-pic32-writer/security/advisories/GHSA-9qgg-ph2v-v4mh -~~	(MISC) https://github.com/paijp/lte-pic32-writer/security/advisories/GHSA-9qgg-ph2v-v4mh - Vendor Advisory
CPE		cpe:2.3:a:pajip:lte-pic32-writer::::::::
CWE	~~CWE-538~~	NVD-CWE-noinfo

31 Oct 2023, 17:07

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-31 16:15

Updated : 2024-11-21 08:29

NVD link : CVE-2023-46723

Mitre link : CVE-2023-46723

CVE.ORG link : CVE-2023-46723

JSON object : View

Products Affected

pajip

lte-pic32-writer

CWE

CWE-538

Insertion of Sensitive Information into Externally-Accessible File or Directory

NVD-CWE-noinfo

{"id": "CVE-2023-46723", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.9, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-10-31T16:15:10.233", "references": [{"url": "https://github.com/paijp/lte-pic32-writer/security/advisories/GHSA-9qgg-ph2v-v4mh", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/paijp/lte-pic32-writer/security/advisories/GHSA-9qgg-ph2v-v4mh", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-538"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "lte-pic32-writer is a writer for PIC32 devices. In versions 0.0.1 and prior, those who use `sendto.txt` are vulnerable to attackers who known the IMEI reading the sendto.txt. The sendto.txt file can contain the SNS(such as slack and zulip) URL and API key. As of time of publication, a patch is not yet available. As workarounds, avoid using `sendto.txt` or use `.htaccess` to block access to `sendto.txt`."}, {"lang": "es", "value": "lte-pic32-writer es un escritor para dispositivos PIC32. En las versiones 0.0.1 y anteriores, quienes usan `sendto.txt` son vulnerables a los atacantes que conocen el IMEI al leer el sendto.txt. El archivo sendto.txt puede contener la URL SNS (como slack y zulip) y la clave API. Al momento de la publicaci\u00f3n, a\u00fan no hay ning\u00fan parche disponible. Como workarounds, evite usar `sendto.txt` o use `.htaccess` para bloquear el acceso a `sendto.txt`."}], "lastModified": "2024-11-21T08:29:09.297", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pajip:lte-pic32-writer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1F94643F-9864-43BF-90F7-395B0920146C", "versionEndExcluding": "0.0.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}