CVE-2023-22439

18.12.2023, 22:15

Improper input validation of a large HTTP request in the Controller 6000 and Controller 7000optionaldiagnostic web interface (Port 80)can be used to perform a Denial of Service of the diagnostic web interface.

This issue affects: Gallagher Controller 6000 and 7000 8.90 prior to vCR8.90.231204a (distributed in 8.90.1620 (MR2)), 8.80 prior to vCR8.80.231204a (distributed in 8.80.1369 (MR3)), 8.70 prior to vCR8.70.231204a (distributed in 8.70.2375 (MR5)), 8.60 prior to vCR8.60.231116a (distributed in 8.60.2550 (MR7)), all versions of 8.50 and prior.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	3.1 LOW	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
Gallagher	CNA	3.1 LOW	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 19%

Vendor	Product	Version
gallagher	controller_6000_firmware	𝑥 ≤ 8.50
gallagher	controller_6000_firmware	8.60 ≤ 𝑥 < 8.60.231116a
gallagher	controller_6000_firmware	8.70 ≤ 𝑥 < 8.70.231204a
gallagher	controller_6000_firmware	8.80 ≤ 𝑥 < 8.80.231204a
gallagher	controller_6000_firmware	8.90 ≤ 𝑥 < 8.90.231204a
gallagher	command_centre	𝑥 ≤ 8.50
gallagher	command_centre	8.60 ≤ 𝑥 < 8.60.231116a
gallagher	command_centre	8.70 ≤ 𝑥 < 8.70.231204a
gallagher	command_centre	8.80 ≤ 𝑥 < 8.80.231204a
gallagher	command_centre	8.90 ≤ 𝑥 < 8.90.231204a

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://security.gallagher.com/Security-Advisories/CVE-2023-22439