Details of VAR-202303-1316

ID

VAR-202303-1316

CVE

CVE-2023-0598

TITLE

GE iFIX Code injection vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202303-1247

DESCRIPTION

GE Digital Proficy iFIX 2022, GE Digital Proficy iFIX v6.1, and GE Digital Proficy iFIX v6.5 are vulnerable to code injection, which may allow an attacker to insert malicious configuration files in the expected web server execution path and gain full control of the HMI software

Trust: 0.99

sources: NVD: CVE-2023-0598 // VULMON: CVE-2023-0598

AFFECTED PRODUCTS

vendor:	ge	model:	ifix	scope:	eq	version:	6.5	Trust: 1.0
vendor:	ge	model:	ifix	scope:	eq	version:	2022	Trust: 1.0
vendor:	ge	model:	ifix	scope:	eq	version:	6.1	Trust: 1.0

sources: NVD: CVE-2023-0598

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-0598
value:	CRITICAL
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2023-0598
value:	HIGH
Trust: 1.0
CNNVD:	CNNVD-202303-1247
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2023-0598
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2023-0598
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: CNNVD: CNNVD-202303-1247 // NVD: CVE-2023-0598 // NVD: CVE-2023-0598

PROBLEMTYPE DATA

problemtype:

CWE-94

Trust: 1.0

sources: NVD: CVE-2023-0598

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202303-1247

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-202303-1247

EXTERNAL IDS

db:	ICS CERT	id:	ICSA-23-073-03	Trust: 1.7
db:	NVD	id:	CVE-2023-0598	Trust: 1.7
db:	AUSCERT	id:	ESB-2023.1564	Trust: 0.6
db:	CNNVD	id:	CNNVD-202303-1247	Trust: 0.6
db:	VULMON	id:	CVE-2023-0598	Trust: 0.1

sources: VULMON: CVE-2023-0598 // CNNVD: CNNVD-202303-1247 // NVD: CVE-2023-0598

REFERENCES

url:	https://digitalsupport.ge.com/s/article/ifix-secure-deployment-guide?language=en_us	Trust: 1.7
url:	https://www.cisa.gov/news-events/ics-advisories/icsa-23-073-03	Trust: 1.7
url:	https://www.auscert.org.au/bulletins/esb-2023.1564	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2023-0598/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/94.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2023-0598 // CNNVD: CNNVD-202303-1247 // NVD: CVE-2023-0598

SOURCES

db:	VULMON	id:	CVE-2023-0598
db:	CNNVD	id:	CNNVD-202303-1247
db:	NVD	id:	CVE-2023-0598

LAST UPDATE DATE

2024-08-14T15:10:59.678000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2023-0598	date:	2023-03-17T00:00:00
db:	CNNVD	id:	CNNVD-202303-1247	date:	2023-03-24T00:00:00
db:	NVD	id:	CVE-2023-0598	date:	2023-11-07T04:00:56.850

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2023-0598	date:	2023-03-16T00:00:00
db:	CNNVD	id:	CNNVD-202303-1247	date:	2023-03-15T00:00:00
db:	NVD	id:	CVE-2023-0598	date:	2023-03-16T20:15:11.327