CVE-2023-28395 — HIGH (8.3)

Vulnerability Description

Osprey Pump Controller version 1.01 is vulnerable to a weak session token generation algorithm that can be predicted and can aid in authentication and authorization bypass. This may allow an attacker to hijack a session by predicting the session id and gain unauthorized access to the product.

CVSS Score

8.3

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

LOW

Affected Products

Vendor	Product	Versions
Propumpservice	Osprey Pump Controller Firmware	1.01
Propumpservice	Osprey Pump Controller	-

Related Weaknesses (CWE)

CWE-338

References

https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-06Third Party AdvisoryUS Government Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-06Third Party AdvisoryUS Government Resource

FAQ

What is CVE-2023-28395?

CVE-2023-28395 is a vulnerability with a CVSS score of 8.3 (HIGH). Osprey Pump Controller version 1.01 is vulnerable to a weak session token generation algorithm that can be predicted and can aid in authentication and authorization bypass. This may allow an attacker ...

How severe is CVE-2023-28395?

CVE-2023-28395 has been rated HIGH with a CVSS base score of 8.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-28395?

Check the references section above for vendor advisories and patch information. Affected products include: Propumpservice Osprey Pump Controller Firmware, Propumpservice Osprey Pump Controller.