CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41185 – Unified Automation UaGateway Certificate Parsing Integer Overflow Denial-of-Service Vulnerability
https://notcve.org/view.php?id=CVE-2023-41185
Unified Automation UaGateway Certificate Parsing Integer Overflow Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Unified Automation UaGateway. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of client certificates. When parsing the certificate length field, the process does not properly validate user-supplied data, which can result in an integer overflow. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. • https://www.zerodayinitiative.com/advisories/ZDI-23-1286 • CWE-190: Integer Overflow or Wraparound •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32172 – Unified Automation UaGateway OPC UA Server Use-After-Free Denial-of-Service Vulnerability
https://notcve.org/view.php?id=CVE-2023-32172
Unified Automation UaGateway OPC UA Server Use-After-Free Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Unified Automation UaGateway. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of the ImportXML function. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. • https://documentation.unified-automation.com/uagateway/1.5.14/CHANGELOG.txt https://www.zerodayinitiative.com/advisories/ZDI-23-777 • CWE-416: Use After Free •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32174 – Unified Automation UaGateway NodeManagerOpcUa Use-After-Free Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-32174
Unified Automation UaGateway NodeManagerOpcUa Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Unified Automation UaGateway. Authentication is required to exploit this vulnerability when the product is in its default configuration. The specific flaw exists within the handling of NodeManagerOpcUa objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. • https://documentation.unified-automation.com/uagateway/1.5.14/CHANGELOG.txt https://www.zerodayinitiative.com/advisories/ZDI-23-780 • CWE-416: Use After Free •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32171 – Unified Automation UaGateway OPC UA Server Null Pointer Dereference Denial-of-Service Vulnerability
https://notcve.org/view.php?id=CVE-2023-32171
Unified Automation UaGateway OPC UA Server Null Pointer Dereference Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Unified Automation UaGateway. Authentication is required to exploit this vulnerability. The specific flaw exists within the ImportCsv method. A crafted XML payload can cause a null pointer dereference. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. • https://documentation.unified-automation.com/uagateway/1.5.14/CHANGELOG.txt https://www.zerodayinitiative.com/advisories/ZDI-23-776 • CWE-476: NULL Pointer Dereference •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32173 – Unified Automation UaGateway AddServer XML Injection Denial-of-Service Vulnerability
https://notcve.org/view.php?id=CVE-2023-32173
Unified Automation UaGateway AddServer XML Injection Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Unified Automation UaGateway. Authentication is required to exploit this vulnerability when the product is in its default configuration. The specific flaw exists within the implementation of the AddServer method. By specifying crafted arguments, an attacker can cause invalid characters to be inserted into an XML configuration file. An attacker can leverage this vulnerability to create a persistent denial-of-service condition on the system. . • https://documentation.unified-automation.com/uagateway/1.5.14/CHANGELOG.txt https://www.zerodayinitiative.com/advisories/ZDI-23-779 • CWE-91: XML Injection (aka Blind XPath Injection) •