CVE-2023-39943
published 2025-02-04CVE-2023-39943: In Ashlar-Vellum Cobalt versions prior to v12 SP2 Build (1204.200), the affected application lacks proper validation of user-supplied data when parsing XE…
PriorityP340high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
0.20%
9.5th percentile
In Ashlar-Vellum Cobalt versions prior to v12 SP2 Build (1204.200), the affected application lacks proper validation of user-supplied data when parsing XE files. This could lead to an out-of-bounds write. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ashlar-vellum | argon | < v12 SP2 Build (1204.200) | v12 SP2 Build (1204.200) |
| ashlar-vellum | cobalt | < v12 SP2 Build (1204.200) | v12 SP2 Build (1204.200) |
| ashlar-vellum | cobalt_share | < v12 SP2 Build (1204.200) | v12 SP2 Build (1204.200) |
| ashlar-vellum | lithium | < v12 SP2 Build (1204.200) | v12 SP2 Build (1204.200) |
| ashlar-vellum | xenon | < v12 SP2 Build (1204.200) | v12 SP2 Build (1204.200) |
| ashlar | cobalt | < 12.4.1204.200 | 12.4.1204.200 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.08.4HIGHCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Ashlar-Vellum Cobalt, Graphite, Xenon, Argon, Lithium (Update A)
cisa_ics·2025-02-04·CVSS 7.8
[HIGH] Ashlar-Vellum Cobalt, Graphite, Xenon, Argon, Lithium (Update A)
ICS Advisory
##
Ashlar-Vellum Cobalt, Graphite, Xenon, Argon, Lithium (Update A)
Last RevisedFebruary 04, 2025
Alert CodeICSA-23-299-03
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 8.4
- ATTENTION: Low attack complexity
- Vendor: Ashlar-Vellum
- Equipment: Cobalt, Graphite, Xenon, Argon, Lithium, and Cobalt Share
- Vulnerabilities: Out-of-bounds Write, Heap-based Buffer Overflow, Out-of-Bounds Read
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following Ashlar-Vellum products are affected:
- Cobalt: Versions prior to v12 SP2 Build (1204.20
GHSA
GHSA-c2c9-4ffg-xh97: In Ashlar-Vellum Cobalt versions prior to v12 SP2 Build (1204
ghsa_unreviewed·2025-02-05
CVE-2023-39943 [HIGH] CWE-787 GHSA-c2c9-4ffg-xh97: In Ashlar-Vellum Cobalt versions prior to v12 SP2 Build (1204
In Ashlar-Vellum Cobalt versions prior to v12 SP2 Build (1204.200), the affected application lacks proper validation of user-supplied data when parsing XE files. This could lead to an out-of-bounds write. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-02-04
Published