Vulnerability Details : CVE-2023-5719
The Crimson 3.2 Windows-based configuration tool allows users with administrative access to define new passwords for users and to download the resulting security configuration to a device. If such a password contains the percent (%) character, invalid values will be included, potentially truncating the string if a NUL is encountered. If the simplified password is not detected by the administrator, the device might be left in a vulnerable state as a result of more-easily compromised credentials. Note that passwords entered via the Crimson system web server do not suffer from this vulnerability.
Products affected by CVE-2023-5719
- cpe:2.3:a:redlion:crimson:*:*:*:*:*:*:*:*
- cpe:2.3:a:redlion:crimson:3.2:build_3.2.0044.0:*:*:*:*:*:*
- cpe:2.3:a:redlion:crimson:3.2:build_3.2.0041.0:*:*:*:*:*:*
- cpe:2.3:a:redlion:crimson:3.2:build_3.2.0040.0:*:*:*:*:*:*
- cpe:2.3:a:redlion:crimson:3.2:build_3.2.0036.0:*:*:*:*:*:*
- cpe:2.3:a:redlion:crimson:3.2:build_3.2.0031.0:*:*:*:*:*:*
- cpe:2.3:a:redlion:crimson:3.2:build_3.2.0035.0:*:*:*:*:*:*
- cpe:2.3:a:redlion:crimson:3.2:build_3.2.0030.0:*:*:*:*:*:*
- cpe:2.3:a:redlion:crimson:3.2:build_3.2.0025.0:*:*:*:*:*:*
- cpe:2.3:a:redlion:crimson:3.2:build_3.2.0026.0:*:*:*:*:*:*
- cpe:2.3:a:redlion:crimson:3.2:build_3.2.0021.0:*:*:*:*:*:*
- cpe:2.3:a:redlion:crimson:3.2:build_3.2.0020.0:*:*:*:*:*:*
- cpe:2.3:a:redlion:crimson:3.2:build_3.2.0016.0:*:*:*:*:*:*
- cpe:2.3:a:redlion:crimson:3.2:build_3.2.0015.0:*:*:*:*:*:*
- cpe:2.3:a:redlion:crimson:3.2:build_3.2.0014.0:*:*:*:*:*:*
- cpe:2.3:a:redlion:crimson:3.2:build_3.2.0008.0:*:*:*:*:*:*
- cpe:2.3:a:redlion:crimson:3.2:build_3.2.0047.0:*:*:*:*:*:*
- cpe:2.3:a:redlion:crimson:3.2:build_3.2.0050.0:*:*:*:*:*:*
- cpe:2.3:a:redlion:crimson:3.2:build_3.2.0051.0:*:*:*:*:*:*
- cpe:2.3:a:redlion:crimson:3.2:build_3.2.0053.0:*:*:*:*:*:*
- cpe:2.3:a:redlion:crimson:3.2:build_3.2.0053.1:*:*:*:*:*:*
- cpe:2.3:a:redlion:crimson:3.2:build_3.2.0053.18:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-5719
0.23%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 60 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-5719
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
ICS-CERT | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2023-5719
-
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.Assigned by: ics-cert@hq.dhs.gov (Secondary)
References for CVE-2023-5719
-
https://support.redlion.net/hc/en-us/categories/360002087671-Security-Advisories
Security Advisories – Red Lion SupportVendor Advisory
-
https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-01
Red Lion Crimson | CISAThird Party Advisory;US Government Resource
Jump to