Cyber Resilience

CVE-2023-3643

HighPublic PoC

Published: 12 July 2023

Published
12 July 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.3630 97.2th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-3643 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Carel Boss Mini Firmware. Its CVSS base score is 7.3 (High).

Operationally, ranked in the top 2.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-3643 is a critical file inclusion vulnerability in Boss Mini version 1.4.0 Build 6221. It resides in an unspecified portion of the boss/servlet/document file, where unsanitized input to the path argument allows an attacker to include arbitrary files on the server.

The flaw can be triggered remotely by unauthenticated attackers without user interaction. Successful exploitation grants limited read, write, and impact capabilities on the affected system, consistent with the CVSS 7.3 rating under CWE-73.

Public references, primarily Vuldb entries and an associated proof-of-concept disclosure, contain no vendor patch or mitigation guidance. The EPSS score reached a peak of 0.4755 and currently stands at 0.3630, indicating moderate and sustained exploitation interest after public disclosure.

EU & UK References

Vulnerability details

A vulnerability was found in Boss Mini 1.4.0 Build 6221. It has been classified as critical. This affects an unknown part of the file boss/servlet/document. The manipulation of the argument path leads to file inclusion. It is possible to initiate…

more

the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-233889 was assigned to this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

carel
boss mini firmware
1.4.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-73

Rejects externally supplied file or resource identifiers that fail validity checks.

References