CVE-2023-5719 HIGH

CVE-2023-5719: Red Lion Crimson Improper Neutralization of Null Byte or NUL Character

Vendor Red Lion
Product Crimson
Weakness CWE-158
Published November 6, 2023
Last update January 16, 2025

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Crimson 3.2 Windows-based configuration tool allows users with administrative access to define new passwords for users and to download the resulting security configuration to a device. If such a password contains the percent (%) character, invalid values will be included, potentially truncating the string if a NUL is encountered. If the simplified password is not detected by the administrator, the device might be left in a vulnerable state as a result of more-easily compromised credentials. Note that passwords entered via the Crimson system web server do not suffer from this vulnerability.

Key dates

02Disclosure timeline

November 6, 2023 CVE published
January 16, 2025 Record updated