CVE-2023-22597

Published: Jan 12, 2023Modified: Nov 21, 2024

5.9

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.2 / Impact: 3.6

Source: NVD

Description

InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-319: Cleartext Transmission of Sensitive Information. They use an unsecured channel to communicate with the cloud platform by default. An unauthorized user could intercept this communication and steal sensitive information such as configuration information and MQTT credentials; this could allow MQTT command injection.

Affected (2)

Products: Inhandnetworks: Inrouter302 Firmware, Inrouter615 S Firmware

2 products

Inrouter302 Firmware

Inrouter615 S Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Inhandnetworks Inrouter302 Firmware	Before 3.5.56

Running on/with	Platform Versions
Inhandnetworks Inrouter302	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Inhandnetworks Inrouter615 S Firmware	Before 2.3.0.r5542

Running on/with	Platform Versions
Inhandnetworks Inrouter615 S	All versions

Related CWEs

Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

References (2)

https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-03

Source: ics-cert@hq.dhs.gov

Third Party AdvisoryUS Government Resource

https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-03

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

Timeline

No history available yet.