Vulnerability Details : CVE-2023-26150
Versions of the package asyncua before 0.9.96 are vulnerable to Improper Authentication such that it is possible to access Address Space without encryption and authentication.
**Note:**
This issue is a result of missing checks for services that require an active session.
Vulnerability category: BypassGain privilege
Products affected by CVE-2023-26150
- cpe:2.3:a:freeopcua:opcua-asyncio:*:*:*:*:*:python:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-26150
0.13%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 49 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-26150
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
3.9
|
2.5
|
Snyk |
CWE ids for CVE-2023-26150
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-26150
-
https://github.com/FreeOpcUa/opcua-asyncio/commit/b4106dfd5037423c9d1810b48a97296b59cde513
check if session is active · FreeOpcUa/opcua-asyncio@b4106df · GitHubPatch
-
https://github.com/FreeOpcUa/opcua-asyncio/releases/tag/v0.9.96
Release v0.9.96 · FreeOpcUa/opcua-asyncio · GitHubProduct;Release Notes
-
https://security.snyk.io/vuln/SNYK-PYTHON-ASYNCUA-5673435
Improper Authentication in asyncua | CVE-2023-26150 | SnykExploit;Patch;Third Party Advisory
-
https://github.com/FreeOpcUa/opcua-asyncio/issues/1014
Illegal access to Address Space · Issue #1014 · FreeOpcUa/opcua-asyncio · GitHubExploit;Issue Tracking;Third Party Advisory
-
https://github.com/FreeOpcUa/opcua-asyncio/pull/1015
check if session is activated by schroeder- · Pull Request #1015 · FreeOpcUa/opcua-asyncio · GitHubPatch
-
https://github.com/FreeOpcUa/opcua-asyncio/commit/2be7ce80df05de8d6c6ae1ebce6fa2bb7147844a
Revert "releax test_secure_channel_key_expiration test" · FreeOpcUa/opcua-asyncio@2be7ce8 · GitHubPatch
-
https://gist.github.com/artfire52/84f7279a4119d6f90381ac49d7121121
illegal access to address space · GitHubExploit;Third Party Advisory
Jump to