Cyber Resilience

CVE-2023-31242

HighPublic PoC

Published: 05 September 2023

Published
05 September 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-31242 is a high-severity Improper Access Control (CWE-284) vulnerability in Openautomationsoftware Oas Platform. Its CVSS base score is 8.1 (High).

Operationally, ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

An authentication bypass vulnerability exists in the OAS Engine functionality of Open Automation Software OAS Platform v18.00.0072. A specially-crafted series of network requests can lead to arbitrary authentication. An attacker can send a sequence of requests to trigger this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

openautomationsoftware
oas platform
18.00.0072

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-284 CWE-287

The awareness and training policy mandates training on access control practices, directly reducing the likelihood of improper access control weaknesses being introduced or exploited.

addresses: CWE-284 CWE-287

Training covers access control policies and the consequences of improper access grants or usage by users.

addresses: CWE-284 CWE-287

Security training teaches access control policies and enforcement, reducing improper access control implementations.

addresses: CWE-284 CWE-287

Provides capability to review session content, directly detecting violations of access control.

addresses: CWE-284 CWE-287

System audit review detects violations of access controls by identifying unauthorized access attempts.

addresses: CWE-284 CWE-287

Control assessments verify that access controls are implemented correctly and operating as intended, detecting improper access control before exploitation.

addresses: CWE-284 CWE-287

Requiring formal approval, documented controls, and responsibilities for inter-system exchanges directly enforces proper access control between systems.

addresses: CWE-284 CWE-287

Penetration testing simulates unauthorized access attempts, directly detecting and enabling remediation of improper access control weaknesses.

References