CVE-2023-37545

Summary

In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37546, CVE-2023-37547, CVE-2023-37548, CVE-2023-37549, CVE-2023-37550

Affected Software

VendorProductVersion RangeStatus
CODESYSCODESYS Control for BeagleBone SL0 < V4.10.0.0affected
CODESYSCODESYS Control for emPC-A/iMX6 SL0 < V4.10.0.0affected
CODESYSCODESYS Control for IOT2000 SL0 < V4.10.0.0affected
CODESYSCODESYS Control for Linux SL0 < V4.10.0.0affected
CODESYSCODESYS Control for PFC100 SL0 < V4.10.0.0affected
CODESYSCODESYS Control for PFC200 SL0 < V4.10.0.0affected
CODESYSCODESYS Control for PLCnext SL0 < V4.10.0.0affected
CODESYSCODESYS Control for Raspberry Pi SL0 < V4.10.0.0affected
CODESYSCODESYS Control for WAGO Touch Panels 600 SL0 < V4.10.0.0affected
CODESYSCODESYS Control RTE (for Beckhoff CX) SL0 < V3.5.19.20affected
CODESYSCODESYS Control RTE (SL)0 < V3.5.19.20affected
CODESYSCODESYS Control Runtime System Toolkit0 < V3.5.19.20affected
CODESYSCODESYS Control Win (SL)0 < V3.5.19.20affected
CODESYSCODESYS Development System V30 < V3.5.19.20affected
CODESYSCODESYS HMI (SL)0 < V3.5.19.20affected
CODESYSCODESYS Safety SIL2 Runtime Toolkit0 < V3.5.19.20affected

Weaknesses

  • CWE-20: CWE-20 Improper Input Validation

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References