1. EXECUTIVE SUMMARY
- CVSS v3 7.5
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: AVEVA
- Equipment: PI Server
- Vulnerabilities: Improper Check or Handling of Exceptional Conditions, Missing Release of Resource after Effective Lifetime
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to crash the product being accessed or throttle the memory leading to a partial denial-of-service condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of AVEVA PI Server, are affected:
- PI Server: 2023
- PI Server: 2018 SP3 P05 and prior
3.2 Vulnerability Overview
3.2.1 IMPROPER CHECK OR HANDLING OF EXCEPTIONAL CONDITIONS CWE-703
AVEVA PI Server versions 2023 and 2018 SP3 P05 and prior contain a vulnerability that could allow an unauthenticated user to remotely crash the PI Message Subsystem of a PI Server, resulting in a denial-of-service condition.
CVE-2023-34348 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
3.2.2 MISSING RELEASE OF RESOURCE AFTER EFFECTIVE LIFETIME CWE-772
AVEVA PI Server versions 2023 and 2018 SP3 P05 and prior contain a vulnerability that could allow an unauthenticated user to cause the PI Message Subsystem of a PI Server to consume available memory resulting in throttled processing of new PI Data Archive events and a partial denial-of-service condition.
CVE-2023-31274 has been assigned to this vulnerability. A CV
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: