Cyber Resilience

CVE-2023-37559

Medium

Published: 03 August 2023

Published
03 August 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0020 42.0th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-37559 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Codesys Control For Beaglebone Sl. Its CVSS base score is 6.5 (Medium).

Operationally, ranked at the 42.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

After successful authentication as a user in multiple Codesys products in multiple versions, specific crafted network communication requests with inconsistent content can cause the CmpAppForce component to read internally from an invalid address, potentially leading to a denial-of-service condition. This…

more

vulnerability is different to CVE-2023-37558

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

codesys
control for beaglebone sl
≤ 4.10.0.0
codesys
control for empc-a\/imx6 sl
≤ 4.10.0.0
codesys
control for iot2000 sl
≤ 4.10.0.0
codesys
control for linux sl
≤ 4.10.0.0
codesys
control for pfc100 sl
≤ 4.10.0.0
codesys
control for pfc200 sl
≤ 4.10.0.0
codesys
control for plcnext sl
≤ 4.10.0.0
codesys
control for raspberry pi sl
≤ 4.10.0.0
codesys
control for wago touch panels 600 sl
≤ 4.10.0.0
codesys
control rte sl
≤ 3.5.19.20
+6 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-20

Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.

addresses: CWE-20

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

addresses: CWE-20

Directly implements checks on information inputs to reject invalid data before processing.

addresses: CWE-20

Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.

References