Vulnerability Details : CVE-2023-4088
Incorrect Default Permissions vulnerability in Mitsubishi Electric Corporation multiple FA engineering software products allows a malicious local attacker to execute a malicious code, resulting in information disclosure, tampering with and deletion, or a denial-of-service (DoS) condition, if the product is installed in a folder other than the default installation folder.
Vulnerability category: Denial of serviceInformation leak
Products affected by CVE-2023-4088
- cpe:2.3:a:mitsubishielectric:gx_works3:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-4088
0.03%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 8 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-4088
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
9.3
|
CRITICAL | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
2.5
|
6.0
|
Mitsubishi Electric Corporation | |
|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2023-4088
-
During installation, installed file permissions are set to allow anyone to modify those files.Assigned by:
- Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2023-4088
-
https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-03
Mitsubishi Electric FA Engineering Software | CISA
-
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-010_en.pdf
Vendor Advisory
-
https://jvn.jp/vu/JVNVU96447193/index.html
JVNVU#96447193: 三菱電機製複数のFAエンジニアリングソフトウェア製品におけるインストール時の不適切なファイルアクセス権設定の脆弱性
Jump to