CVE-2023-37482Observable Discrepancy in Siemens Simatic Drive Controller CPU 1504d TF

CWE-203Observable Discrepancy3 documents3 sources
Severity
6.9MEDIUMNVD
EPSS
0.1%
top 67.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
92
Siemens Simatic Drive Controller CPU 1504d TFSiemens Simatic Drive Controller CPU 1507d TFSiemens Simatic ET 200sp CPU 1510sp-1 PN+89 more
Timeline
PublishedFeb 11

Description

The login functionality of the web server in affected devices does not normalize the response times of login attempts. An unauthenticated remote attacker could exploit this side-channel information to distinguish between valid and invalid usernames.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages92 packages

CVEListV5siemens/simatic_s7-plcsim_advancedV6.0V7.0
CVEListV5siemens/simatic_s7-1500_cpu_1511-1_pnV3.1.0V3.1.2
CVEListV5siemens/simatic_s7-1500_cpu_1513-1_pnV3.1.0V3.1.2
CVEListV5siemens/simatic_s7-1500_cpu_1515-2_pnV3.1.0V3.1.2
CVEListV5siemens/siplus_s7-1500_cpu_1517h-3_pnV3.1.0V3.1.2

🔴Vulnerability Details

2
GHSA
GHSA-p6r5-883m-2c48: The login functionality of the web server in affected devices does not normalize the response times of login attempts2025-02-11
CVEList
CVE-2023-37482: The login functionality of the web server in affected devices does not normalize the response times of login attempts2025-02-11
CVE-2023-37482 — Observable Discrepancy in Siemens | cvebase