CVE-2023-3263
7.5
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Exploitability: 3.9 / Impact: 3.6
Source: NVD
Description
The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier is vulnerable to authentication bypass in the REST API due to the mishandling of special characters when parsing credentials.Successful exploitation allows the malicious agent to obtain a valid authorization token and read information relating to the state of the relays and power distribution.
Affected (22)
Products: Dataprobe: Iboot Pdu4a C10 Firmware, Iboot Pdu4a C20 Firmware, Iboot Pdu4a N15 Firmware, Iboot Pdu4a N20 Firmware, Iboot Pdu4 C20 Firmware, Iboot Pdu4 N20 Firmware, Iboot Pdu4sa C10 Firmware, Iboot Pdu4sa C20 Firmware, Iboot Pdu4sa N15 Firmware, Iboot Pdu4sa N20 Firmware, Iboot Pdu8a 2c10 Firmware, Iboot Pdu8a 2c20 Firmware, Iboot Pdu8a 2n15 Firmware, Iboot Pdu8a 2n20 Firmware, Iboot Pdu8a C10 Firmware, Iboot Pdu8a C20 Firmware, Iboot Pdu8a N15 Firmware, Iboot Pdu8a N20 Firmware, Iboot Pdu8sa 2n15 Firmware, Iboot Pdu8sa C10 Firmware, Iboot Pdu8sa N15 Firmware, Iboot Pdu8sa N20 Firmware
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.44.0804202 |
| Running on/with | Platform Versions |
|---|---|
Dataprobe Iboot Pdu4a C10 | All versions |
Configuration B
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.44.0804202 |
| Running on/with | Platform Versions |
|---|---|
Dataprobe Iboot Pdu4a C20 | All versions |
Configuration C
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.44.0804202 |
| Running on/with | Platform Versions |
|---|---|
Dataprobe Iboot Pdu4a N15 | All versions |
Configuration D
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.44.0804202 |
| Running on/with | Platform Versions |
|---|---|
Dataprobe Iboot Pdu4a N20 | All versions |
Configuration E
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.44.0804202 |
| Running on/with | Platform Versions |
|---|---|
Dataprobe Iboot Pdu4 C20 | All versions |
Configuration F
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.44.0804202 |
| Running on/with | Platform Versions |
|---|---|
Dataprobe Iboot Pdu4 N20 | All versions |
Configuration G
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.44.0804202 |
| Running on/with | Platform Versions |
|---|---|
Dataprobe Iboot Pdu4sa C10 | All versions |
Configuration H
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.44.0804202 |
| Running on/with | Platform Versions |
|---|---|
Dataprobe Iboot Pdu4sa C20 | All versions |
Configuration I
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.44.0804202 |
| Running on/with | Platform Versions |
|---|---|
Dataprobe Iboot Pdu4sa N15 | All versions |
Configuration J
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.44.0804202 |
| Running on/with | Platform Versions |
|---|---|
Dataprobe Iboot Pdu4sa N20 | All versions |
Configuration K
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.44.0804202 |
| Running on/with | Platform Versions |
|---|---|
Dataprobe Iboot Pdu8a 2c10 | All versions |
Configuration L
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.44.0804202 |
| Running on/with | Platform Versions |
|---|---|
Dataprobe Iboot Pdu8a 2c20 | All versions |
Configuration M
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.44.0804202 |
| Running on/with | Platform Versions |
|---|---|
Dataprobe Iboot Pdu8a 2n15 | All versions |
Configuration N
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.44.0804202 |
| Running on/with | Platform Versions |
|---|---|
Dataprobe Iboot Pdu8a 2n20 | All versions |
Configuration O
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.44.0804202 |
| Running on/with | Platform Versions |
|---|---|
Dataprobe Iboot Pdu8a C10 | All versions |
Configuration P
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.44.0804202 |
| Running on/with | Platform Versions |
|---|---|
Dataprobe Iboot Pdu8a C20 | All versions |
Configuration Q
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.44.0804202 |
| Running on/with | Platform Versions |
|---|---|
Dataprobe Iboot Pdu8a N15 | All versions |
Configuration R
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.44.0804202 |
| Running on/with | Platform Versions |
|---|---|
Dataprobe Iboot Pdu8a N20 | All versions |
Configuration S
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.44.0804202 |
| Running on/with | Platform Versions |
|---|---|
Dataprobe Iboot Pdu8sa 2n15 | All versions |
Configuration T
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.44.0804202 |
| Running on/with | Platform Versions |
|---|---|
Dataprobe Iboot Pdu8sa C10 | All versions |
Configuration U
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.44.0804202 |
| Running on/with | Platform Versions |
|---|---|
Dataprobe Iboot Pdu8sa N15 | All versions |
Configuration V
| Vulnerable Software | Affected Versions |
|---|---|
| Before 1.44.0804202 |
| Running on/with | Platform Versions |
|---|---|
Dataprobe Iboot Pdu8sa N20 | All versions |
Related CWEs
CWE-287
Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-289
Authentication Bypass by Alternate Name
The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.
References (2)
Source: trellixpsirt@trellix.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Timeline
No history available yet.