CVE-2023-0636

EUVD-2023-12670

05.06.2023, 04:15

Improper Input Validation vulnerability in ABB Ltd. ASPECT®-Enterprise on ASPECT®-Enterprise, Linux (2CQG103201S3021, 2CQG103202S3021, 2CQG103203S3021, 2CQG103204S3021 modules), ABB Ltd. NEXUS Series on NEXUS Series, Linux (2CQG100102R2021, 2CQG100104R2021, 2CQG100105R2021, 2CQG100106R2021, 2CQG100110R2021, 2CQG100112R2021, 2CQG100103R2021, 2CQG100107R2021, 2CQG100108R2021, 2CQG100109R2021, 2CQG100111R2021, 2CQG100113R2021 modules), ABB Ltd. MATRIX Series on MATRIX Series, Linux (2CQG100102R1021, 2CQG100103R1021, 2CQG100104R1021, 2CQG100105R1021, 2CQG100106R1021 modules) allows Command Injection.This issue affects ASPECT®-Enterprise: from 3.0;0 before 3.07.0; NEXUS Series: from 3.0;0 before 3.07.0; MATRIX Series: from 3.0;0 before 3.07.1.

Command Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.2 HIGH	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
ABB	CNA	7.2 HIGH	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 49%

Affected Products (NVD)

Vendor	Product	Version
abb	aspect-ent-2_firmware	3.0.0 ≤ 𝑥 < 3.07.01
abb	aspect-ent-12_firmware	3.0.0 ≤ 𝑥 < 3.07.01
abb	aspect-ent-256_firmware	3.0.0 ≤ 𝑥 < 3.07.01
abb	aspect-ent-96_firmware	3.0.0 ≤ 𝑥 < 3.07.01
abb	nexus-2128_firmware	3.0.0 ≤ 𝑥 < 3.07.01
abb	nexus-2128-a_firmware	3.0.0 ≤ 𝑥 < 3.07.01
abb	nexus-2128-g_firmware	3.0.0 ≤ 𝑥 < 3.07.01
abb	nexus-2128-f_firmware	3.0.0 ≤ 𝑥 < 3.07.01
abb	nexus-3-2128_firmware	3.0.0 ≤ 𝑥 < 3.07.01
abb	nexus-3-264_firmware	3.0.0 ≤ 𝑥 < 3.07.01
abb	nexus-264_firmware	3.0.0 ≤ 𝑥 < 3.07.01
abb	nexus-264-a_firmware	3.0.0 ≤ 𝑥 < 3.07.01
abb	nexus-264-g_firmware	3.0.0 ≤ 𝑥 < 3.07.01
abb	nexus-264-f_firmware	3.0.0 ≤ 𝑥 < 3.07.01
abb	matrix-216_firmware	3.0.0 ≤ 𝑥 < 3.07.01
abb	matrix-232_firmware	3.0.0 ≤ 𝑥 < 3.07.01
abb	matrix-296_firmware	3.0.0 ≤ 𝑥 < 3.07.01
abb	matrix-264_firmware	3.0.0 ≤ 𝑥 < 3.07.01
abb	matrix-11_firmware	3.0.0 ≤ 𝑥 < 3.07.01

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References

https://search.abb.com/library/Download.aspx?DocumentID=2CKA000073B5403&LanguageCode=en&DocumentPartId=&Action=Launch