CVE-2023-29411 — Missing Authentication for Critical Function in APC Easy UPS Online Monitoring Software

CWE-306 — Missing Authentication for Critical Function3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

8.3%

top 7.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Schneider-electric APC Easy UPS Online Monitoring Software Schneider-electric Easy UPS Online Monitoring Software

Timeline

PublishedApr 18

Description

A CWE-306: Missing Authentication for Critical Function vulnerability exists that could allow changes to administrative credentials, leading to potential remote code execution without requiring prior authentication on the Java RMI interface.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDschneider-electric/easy_ups_online_monitoring_software2.5-gs-01-22320

▶NVDschneider-electric/apc_easy_ups_online_monitoring_software2.5-ga-01-22320

Patches

Patch: download.schneider-electric.com ↗Patch: download.schneider-electric.com ↗

🔴Vulnerability Details

GHSA

GHSA-qq2v-qm3v-4375: A CWE-306: Missing Authentication for Critical Function vulnerability exists that could allow changes to administrative credentials, leading to potent↗2023-04-18

▶

CVEList

CVE-2023-29411: A CWE-306: Missing Authentication for Critical Function vulnerability exists that could allow changes to administrative credentials, leading to potent↗2023-04-18

▶