Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-30244: Product Security

Honeywell Alerton Ascent Control Module (ACM) through 2022-05-04 allows unauthenticated programming writes from remote users. This enables code to be store on the controller and then run without verification. A user with malicious intent can send a crafted packet to change and/or stop the program without the knowledge of other users, altering the controller’s function. After the programming change, the program needs to be overwritten in order for the controller to restore its original operational function.

CVE
#xss#vulnerability#web#mac#git#php#perl#auth

MENU

  • Policies
  • Vulnerability Reporting
  • PGP Key
  • Acknowledgments

We take security concerns seriously and work to quickly evaluate and address them. Once reported, we commit the appropriate resources to analyze, validate and provide corrective actions to address the issue.

The goal of our Product Security Incident Response Team (PSIRT) is to minimize customers’ risk associated with security vulnerabilities by providing timely information, guidance and remediation of vulnerabilities in our products, including software and applications, hardware and devices, services and solutions. This team manages the receipt, investigation, internal coordination, remediation and disclosure of security vulnerability information related to Honeywell products.

PSIRT coordinates the response and disclosure of all externally identified product vulnerabilities.

We welcome reports from independent researchers, industry organizations, vendors and customers concerned with product security. To find out more information on how to report a potential vulnerability, please visit the Vulnerability Reporting web page.

We strive to follow Coordinated Vulnerability Disclosure (CVD). This process allows independent reporters who discover a vulnerability contact Honeywell directly and allow us the opportunity to investigate and remediate the vulnerability before the reporter discloses the information to the public.

The PSIRT will coordinate with the reporter throughout the vulnerability investigation and will provide them with updates on progress as appropriate. With their agreement, the PSIRT may recognize the reporter on our acknowledgments for finding a valid product vulnerability and privately reporting the issue. After an update or mitigation information is publicly released by Honeywell, the reporter is welcome to discuss the vulnerability publicly.

Following the CVD allows us to protect our customers and at the same time, coordinate public disclosures and appropriately acknowledge the reporter for their finding. If a reported vulnerability involves a vendor product, the PSIRT will notify the vendor directly, coordinate with the reporter, or engage a third-party coordination center.

We use the Common Vulnerability Scoring System version 3.0 (CVSS v3.0) to evaluate the severity level of identified vulnerabilities. This enables a common scoring method and a common language to communicate the characteristics and impacts of vulnerabilities and attempts to establish a measurement of how much concern a vulnerability warrants. The model uses three distinct measurements or scores that include base, temporal and environmental calculations, each consisting of a set of metrics. The full standard, which is maintained by the Forum of Incident Response and Security Teams (FIRST).

We follow CVSS v3.0 Specification Document Qualitative Severity Rating Scale to define Severity Ratings as shown in the table below:

Security Impact Rating

CVSS Score

Critical

9.0 – 10.0

High

7.0 – 8.9

Medium

4.0 – 6.9

Low

1.0 – 3.9

We reserve the right to deviate from these guidelines in specific cases if additional factors are not properly captured in the CVSS score.

When and where applicable, Honeywell Security Bulletins will provide the CVSS v3.0 Base Score. We focus on the base metric group only because it brings the most value to our customers and represents the intrinsic characteristics of a vulnerability. Risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation.

We recommend consulting a security or IT professional to evaluate the risk of your specific configuration and encourages you to compute the environmental score based on your network parameters and that all customers take into account the base score and any temporal and environmental scores that may be relevant to their environment to assess their overall risk. This overall score represents a moment in time and is tailored to your specific environment. You should use a security or IT professional’s assessment of the issue and this final score to prioritize responses in your own environment.

Honeywell uses the following guidelines for non-third-party software vulnerabilities to determine the appropriate communication plan:

Security Impact Rating

CVSS Score

Communication Plan

Critical

9.0–10.0

Security Bulletin

High

7.0–8.9

Medium

4.0–6.9

Product Release Note

Low

3.9 or below

If there is a security issue with a third-party software component that is used in a Honeywell product, we may publish a Security Bulletin. If a Security Bulletin is published for a third-party software component vulnerability, then we typically use the CVSS score provided by the component creator. In some cases, the CVSS score may be adjusted to reflect the impact to the product.

We reserve the right to deviate from these guidelines in specific cases if additional factors are not properly captured in the CVSS score.

In most cases, we intend to notify customers when there is an identified practical workaround or fix for a security vulnerability. The notification is through either targeted communications or by posting a security bulletin on the specific product web page. This will be posted after the PSIRT has completed the vulnerability response process and determined that sufficient software patches or workarounds exist to address the vulnerability or subsequent public disclosure of code fixes is planned to address the vulnerabilities.

Security bulletins attempt to balance the right amount of information by providing sufficient details to enable customers to make informed decisions to protect themselves, but not verbose details that would allow malicious users to take advantage of the information. They will typically include the following information:

  1. Products and versions affected.
  2. Common Vulnerability Enumeration (CVE) identifier for the vulnerability.
  3. Brief description of the vulnerability and potential impact if exploited.
  4. The Common Vulnerability Scoring System (CVSS) severity rating for the vulnerability.
  5. Mitigation details such as an upgrade, fix, mitigation or other customer action.
  6. Credit to the reporter of the identified vulnerability and acknowledgment for coordinating with Honeywell.

We will not provide additional information about the specifics of vulnerabilities beyond what is provided in the security bulletin or other documentation such as release notes, knowledge base articles, FAQs, etc. We do not distribute exploit or proof of concept code for identified vulnerabilities.

In accordance with industry practices, we do not share the findings from internal security testing or other types of security activities with external entities. It is important to note that any scan of our services and production systems will be considered an attack. If you are an OEM partner, please coordinate your needs with your Honeywell program manager.

We may release a special communication to respond quickly and appropriately to public disclosures where the vulnerability may have received significant public attention, or is expected to be actively exploited. In such an event, we may expedite the communication and may or may not include a complete set of patches or workarounds.

We take security concerns seriously and works to evaluate and address them in a timely manner. Response timelines will depend on many factors, including: the severity, the product affected, the current development cycle, QA cycles, and whether the issue can only be updated in a major release.

Remediation may take one or more of the following forms:

  1. A new release
  2. A Honeywell-provided patch
  3. Instructions to download and install an update or patch from a third-party
  4. A workaround to mitigate the vulnerability

Notwithstanding the foregoing, we do not guarantee a specific resolution for issues and not all issues identified may be fixed.

We encourage coordinated disclosure of security vulnerabilities. Security researchers, industry groups, government organizations and vendors can report potential security vulnerabilities to Honeywell by choosing one of the two vulnerability types in the form below or by emailing us with below details mentioned.

If the vulnerability affects a product, service or solution, email us at [email protected], with the following instructions/details:

  • Please encrypt using Honeywell’s public PGP key (see PGP Key page) and include the following:
    • Product and version
    • Description of the potential vulnerability
    • Any special configuration required to reproduce the issue
    • Step by step instructions to reproduce the issue
    • Proof of concept or exploit code, if available
    • Potential Impact

For all other security issues, email us at [email protected] with the following instructions.

  • Please encrypt using Honeywell’s public PGP key (see PGP Key page) and include the following:
    • Website URL or location
    • Type of vulnerability (XSS, Injection, etc.)
    • Instructions to reproduce the vulnerability
    • Proof of concept or exploit code, including how an attacker could exploit the vulnerability
    • Potential impact

Download PGP Key here

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org

mQENBE/Z+NYBCAC/++sRC1JFlk1oMMDgl5jxhhh3U+MzTDLiBjHcCeJ4OmBiGRck
LljhZc0oW8SMd2JW0KjtEa0lKW8JIQHWBRjnGPudT8A/Y/3RW/Rx60dTvvUvt6ux
IqWmYDoe3B2aTNJmiQZobKwG5uxq0hKhQmTGsmqBWd9jWJT3lopjR7YPzuI3rWjq
m8DKaz+0JEs0hbPiO5mnID48NaTQvFb5tCySrnOaJIPHAwPtcfz8WWR3wDh3HX6N
sQOohiYs0lcxxF/klycMfgSaOd4KCvMuvvyYzsAgqAc2cyI41SAWhM0t4/7sGVsM
6QkOEQL7oM37fKpynKZoNqVQS43i5vEQXKhTABEBAAG0I0hvbmV5d2VsbCBDSVJU
IDxjaXJ0QGhvbmV5d2VsbC5jb20+iQFyBBABAgBcBQJP2fjWMBSAAAAAACAAB3By
ZWZlcnJlZC1lbWFpbC1lbmNvZGluZ0BwZ3AuY29tcGdwbWltZQgLCQgHAwIKAQIZ
AQUbAwAAAAUWAAMCAQUeAQAAAAYVCAkKAgMACgkQNyARPx/t4AdyoQf+LlUiTv20
VT5Hwbwm4CYxELzjlDaIsDS5DBFAY//gVcaC3J2CW/JeDSvDcBahePADVYI8N3Mk
fo2IPW4G7riB1OvBm8INELEVnDpFgTMffcLtHyyJHdolO7MKNGp/1zZxHriEci6K
22v6GT8TluEA9R6pKA7SI/lbVCxDe53CPzm7rQhxLFr2GJ3YKqvJ8C1OW06+fPDZ
U+nx80X+MIXMJ0+i+i1RS4TVK1chx6MWtkWRPBh022a7q5Ub19ox2osNavwE/gIs
sMcK2UCZKrphavAbh2YGvPl6UA16lIDwSwMZZ32Di/QcXPfZmBqmJxSs88lQmk5X
4AKpkknAGb7IY7kBDQRP2fjWAQgA2t9nKv8aoyHQFdu2mFDzxCaBNNgZggoUJjkr
80ahYphP4gMO/R1N6rUEDoRefzGKwG6l8Vn4yQs3wWl3VWLSBRswmUFa9GITiJnq
rfJOmw/JZlvqCbh5otGS2/irRb0IOYDn8/OPtN6H47pIfhCuMUEYNoYZ4Y1Vo4oA
JIbk7/R1IWnlUTGACvgIITDna0Xx2UF9Tlen7AQvMXilonaZhzFaou2abYYGbNWg
IH8F2m6bd43CK6lM1Bda0wPZFyOmAlbpkDg3xcTJj/ikqC4w3QrLV1RzIL+wQJQ3
QsJIrMMFRLVxSWjVR84OfXplCFNFG5zneNuyWBVH4+yo87ZrAwARAQABiQJBBBgB
AgErBQJP2fjXBRsMAAAAwF0gBBkBCAAGBQJP2fjWAAoJEO+/PWqvM/9ITYEH/3rC
m8tVUcM5rwKluGGRKm2OFlpL5UAN9GDB0yAYbgCPYX4HZPJFDb5eErOrPAsAX3JF
gfYRP1c0C+wkH6FRnINRRl5GTA3rlaoupPb6fVplgNOSPoRYoP76LaCE0RABrs0X
4j1r8cfCnWF50xS1sLIY2S8NCrXZKDnPGIpAAMvnO7FZY7DDzFHltSp+cM5EfheL
wz6dACrbZmo3V6MWaFHxEJaMwzry/IHx8Y0adQ0IuPzESJhOb2KA42oxEekYgNcT
jZaXVOg592rFmeVMiH+kZ6AqpOWPbSgLY9SA4UZ7wS3uzObk2WWHtE2tXodBKnV8
x+XfhPwIPL/clezxl6QACgkQNyARPx/t4AfiHgf/cahQSIQ3Z8vV4oGPdgQZT7zH
h1nQr5mP/9dMkeGYqUwzkRfKLtfSrNIIyq3sOX0TI0b13sHJ/bsys1bPurRMo9QZ
E/XBRunn0kikKlqIwGroufJooV7rWTQs01npsgjEtBVsLs/xrGZ6OIB5UZDVG650
aeLBIivRYBy9buIP/ouxKk5C5zTBIQ00Rk7eN/guoxanlrD4wNhzsw/U9SDI8gIH
ghiIG8KhyeSefQVoT7+d1NF5qEcghHIutzpSv33GaPuegvOkqXrsPC2q1w949+Im
jcqS6tU4SKYsAeZUro95QhATQGVuANyit9REk68syv8Ke0JcrvrhIj5Qu93LnQ==
=dpgO
-----END PGP PUBLIC KEY BLOCK-----

We would like to acknowledge all individuals who have reported a vulnerability in our environment. We are grateful for these security researchers who help keep us secure.

* Indicates multiple submissions

  • Policies
  • Vulnerability Reporting
  • PGP Key
  • Acknowledgments

We take security concerns seriously and work to quickly evaluate and address them. Once reported, we commit the appropriate resources to analyze, validate and provide corrective actions to address the issue.

The goal of our Product Security Incident Response Team (PSIRT) is to minimize customers’ risk associated with security vulnerabilities by providing timely information, guidance and remediation of vulnerabilities in our products, including software and applications, hardware and devices, services and solutions. This team manages the receipt, investigation, internal coordination, remediation and disclosure of security vulnerability information related to Honeywell products.

PSIRT coordinates the response and disclosure of all externally identified product vulnerabilities.

We welcome reports from independent researchers, industry organizations, vendors and customers concerned with product security. To find out more information on how to report a potential vulnerability, please visit the Vulnerability Reporting web page.

We strive to follow Coordinated Vulnerability Disclosure (CVD). This process allows independent reporters who discover a vulnerability contact Honeywell directly and allow us the opportunity to investigate and remediate the vulnerability before the reporter discloses the information to the public.

The PSIRT will coordinate with the reporter throughout the vulnerability investigation and will provide them with updates on progress as appropriate. With their agreement, the PSIRT may recognize the reporter on our acknowledgments for finding a valid product vulnerability and privately reporting the issue. After an update or mitigation information is publicly released by Honeywell, the reporter is welcome to discuss the vulnerability publicly.

Following the CVD allows us to protect our customers and at the same time, coordinate public disclosures and appropriately acknowledge the reporter for their finding. If a reported vulnerability involves a vendor product, the PSIRT will notify the vendor directly, coordinate with the reporter, or engage a third-party coordination center.

We use the Common Vulnerability Scoring System version 3.0 (CVSS v3.0) to evaluate the severity level of identified vulnerabilities. This enables a common scoring method and a common language to communicate the characteristics and impacts of vulnerabilities and attempts to establish a measurement of how much concern a vulnerability warrants. The model uses three distinct measurements or scores that include base, temporal and environmental calculations, each consisting of a set of metrics. The full standard, which is maintained by the Forum of Incident Response and Security Teams (FIRST).

We follow CVSS v3.0 Specification Document Qualitative Severity Rating Scale to define Severity Ratings as shown in the table below:

Security Impact Rating

CVSS Score

Critical

9.0 – 10.0

High

7.0 – 8.9

Medium

4.0 – 6.9

Low

1.0 – 3.9

We reserve the right to deviate from these guidelines in specific cases if additional factors are not properly captured in the CVSS score.

When and where applicable, Honeywell Security Bulletins will provide the CVSS v3.0 Base Score. We focus on the base metric group only because it brings the most value to our customers and represents the intrinsic characteristics of a vulnerability. Risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation.

We recommend consulting a security or IT professional to evaluate the risk of your specific configuration and encourages you to compute the environmental score based on your network parameters and that all customers take into account the base score and any temporal and environmental scores that may be relevant to their environment to assess their overall risk. This overall score represents a moment in time and is tailored to your specific environment. You should use a security or IT professional’s assessment of the issue and this final score to prioritize responses in your own environment.

Honeywell uses the following guidelines for non-third-party software vulnerabilities to determine the appropriate communication plan:

Security Impact Rating

CVSS Score

Communication Plan

Critical

9.0–10.0

Security Bulletin

High

7.0–8.9

Medium

4.0–6.9

Product Release Note

Low

3.9 or below

If there is a security issue with a third-party software component that is used in a Honeywell product, we may publish a Security Bulletin. If a Security Bulletin is published for a third-party software component vulnerability, then we typically use the CVSS score provided by the component creator. In some cases, the CVSS score may be adjusted to reflect the impact to the product.

We reserve the right to deviate from these guidelines in specific cases if additional factors are not properly captured in the CVSS score.

In most cases, we intend to notify customers when there is an identified practical workaround or fix for a security vulnerability. The notification is through either targeted communications or by posting a security bulletin on the specific product web page. This will be posted after the PSIRT has completed the vulnerability response process and determined that sufficient software patches or workarounds exist to address the vulnerability or subsequent public disclosure of code fixes is planned to address the vulnerabilities.

Security bulletins attempt to balance the right amount of information by providing sufficient details to enable customers to make informed decisions to protect themselves, but not verbose details that would allow malicious users to take advantage of the information. They will typically include the following information:

  1. Products and versions affected.
  2. Common Vulnerability Enumeration (CVE) identifier for the vulnerability.
  3. Brief description of the vulnerability and potential impact if exploited.
  4. The Common Vulnerability Scoring System (CVSS) severity rating for the vulnerability.
  5. Mitigation details such as an upgrade, fix, mitigation or other customer action.
  6. Credit to the reporter of the identified vulnerability and acknowledgment for coordinating with Honeywell.

We will not provide additional information about the specifics of vulnerabilities beyond what is provided in the security bulletin or other documentation such as release notes, knowledge base articles, FAQs, etc. We do not distribute exploit or proof of concept code for identified vulnerabilities.

In accordance with industry practices, we do not share the findings from internal security testing or other types of security activities with external entities. It is important to note that any scan of our services and production systems will be considered an attack. If you are an OEM partner, please coordinate your needs with your Honeywell program manager.

We may release a special communication to respond quickly and appropriately to public disclosures where the vulnerability may have received significant public attention, or is expected to be actively exploited. In such an event, we may expedite the communication and may or may not include a complete set of patches or workarounds.

We take security concerns seriously and works to evaluate and address them in a timely manner. Response timelines will depend on many factors, including: the severity, the product affected, the current development cycle, QA cycles, and whether the issue can only be updated in a major release.

Remediation may take one or more of the following forms:

  1. A new release
  2. A Honeywell-provided patch
  3. Instructions to download and install an update or patch from a third-party
  4. A workaround to mitigate the vulnerability

Notwithstanding the foregoing, we do not guarantee a specific resolution for issues and not all issues identified may be fixed.

We encourage coordinated disclosure of security vulnerabilities. Security researchers, industry groups, government organizations and vendors can report potential security vulnerabilities to Honeywell by choosing one of the two vulnerability types in the form below or by emailing us with below details mentioned.

If the vulnerability affects a product, service or solution, email us at [email protected], with the following instructions/details:

  • Please encrypt using Honeywell’s public PGP key (see PGP Key page) and include the following:
    • Product and version
    • Description of the potential vulnerability
    • Any special configuration required to reproduce the issue
    • Step by step instructions to reproduce the issue
    • Proof of concept or exploit code, if available
    • Potential Impact

For all other security issues, email us at [email protected] with the following instructions.

  • Please encrypt using Honeywell’s public PGP key (see PGP Key page) and include the following:
    • Website URL or location
    • Type of vulnerability (XSS, Injection, etc.)
    • Instructions to reproduce the vulnerability
    • Proof of concept or exploit code, including how an attacker could exploit the vulnerability
    • Potential impact

Download PGP Key here

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org

mQENBE/Z+NYBCAC/++sRC1JFlk1oMMDgl5jxhhh3U+MzTDLiBjHcCeJ4OmBiGRck
LljhZc0oW8SMd2JW0KjtEa0lKW8JIQHWBRjnGPudT8A/Y/3RW/Rx60dTvvUvt6ux
IqWmYDoe3B2aTNJmiQZobKwG5uxq0hKhQmTGsmqBWd9jWJT3lopjR7YPzuI3rWjq
m8DKaz+0JEs0hbPiO5mnID48NaTQvFb5tCySrnOaJIPHAwPtcfz8WWR3wDh3HX6N
sQOohiYs0lcxxF/klycMfgSaOd4KCvMuvvyYzsAgqAc2cyI41SAWhM0t4/7sGVsM
6QkOEQL7oM37fKpynKZoNqVQS43i5vEQXKhTABEBAAG0I0hvbmV5d2VsbCBDSVJU
IDxjaXJ0QGhvbmV5d2VsbC5jb20+iQFyBBABAgBcBQJP2fjWMBSAAAAAACAAB3By
ZWZlcnJlZC1lbWFpbC1lbmNvZGluZ0BwZ3AuY29tcGdwbWltZQgLCQgHAwIKAQIZ
AQUbAwAAAAUWAAMCAQUeAQAAAAYVCAkKAgMACgkQNyARPx/t4AdyoQf+LlUiTv20
VT5Hwbwm4CYxELzjlDaIsDS5DBFAY//gVcaC3J2CW/JeDSvDcBahePADVYI8N3Mk
fo2IPW4G7riB1OvBm8INELEVnDpFgTMffcLtHyyJHdolO7MKNGp/1zZxHriEci6K
22v6GT8TluEA9R6pKA7SI/lbVCxDe53CPzm7rQhxLFr2GJ3YKqvJ8C1OW06+fPDZ
U+nx80X+MIXMJ0+i+i1RS4TVK1chx6MWtkWRPBh022a7q5Ub19ox2osNavwE/gIs
sMcK2UCZKrphavAbh2YGvPl6UA16lIDwSwMZZ32Di/QcXPfZmBqmJxSs88lQmk5X
4AKpkknAGb7IY7kBDQRP2fjWAQgA2t9nKv8aoyHQFdu2mFDzxCaBNNgZggoUJjkr
80ahYphP4gMO/R1N6rUEDoRefzGKwG6l8Vn4yQs3wWl3VWLSBRswmUFa9GITiJnq
rfJOmw/JZlvqCbh5otGS2/irRb0IOYDn8/OPtN6H47pIfhCuMUEYNoYZ4Y1Vo4oA
JIbk7/R1IWnlUTGACvgIITDna0Xx2UF9Tlen7AQvMXilonaZhzFaou2abYYGbNWg
IH8F2m6bd43CK6lM1Bda0wPZFyOmAlbpkDg3xcTJj/ikqC4w3QrLV1RzIL+wQJQ3
QsJIrMMFRLVxSWjVR84OfXplCFNFG5zneNuyWBVH4+yo87ZrAwARAQABiQJBBBgB
AgErBQJP2fjXBRsMAAAAwF0gBBkBCAAGBQJP2fjWAAoJEO+/PWqvM/9ITYEH/3rC
m8tVUcM5rwKluGGRKm2OFlpL5UAN9GDB0yAYbgCPYX4HZPJFDb5eErOrPAsAX3JF
gfYRP1c0C+wkH6FRnINRRl5GTA3rlaoupPb6fVplgNOSPoRYoP76LaCE0RABrs0X
4j1r8cfCnWF50xS1sLIY2S8NCrXZKDnPGIpAAMvnO7FZY7DDzFHltSp+cM5EfheL
wz6dACrbZmo3V6MWaFHxEJaMwzry/IHx8Y0adQ0IuPzESJhOb2KA42oxEekYgNcT
jZaXVOg592rFmeVMiH+kZ6AqpOWPbSgLY9SA4UZ7wS3uzObk2WWHtE2tXodBKnV8
x+XfhPwIPL/clezxl6QACgkQNyARPx/t4AfiHgf/cahQSIQ3Z8vV4oGPdgQZT7zH
h1nQr5mP/9dMkeGYqUwzkRfKLtfSrNIIyq3sOX0TI0b13sHJ/bsys1bPurRMo9QZ
E/XBRunn0kikKlqIwGroufJooV7rWTQs01npsgjEtBVsLs/xrGZ6OIB5UZDVG650
aeLBIivRYBy9buIP/ouxKk5C5zTBIQ00Rk7eN/guoxanlrD4wNhzsw/U9SDI8gIH
ghiIG8KhyeSefQVoT7+d1NF5qEcghHIutzpSv33GaPuegvOkqXrsPC2q1w949+Im
jcqS6tU4SKYsAeZUro95QhATQGVuANyit9REk68syv8Ke0JcrvrhIj5Qu93LnQ==
=dpgO
-----END PGP PUBLIC KEY BLOCK-----

We would like to acknowledge all individuals who have reported a vulnerability in our environment. We are grateful for these security researchers who help keep us secure.

* Indicates multiple submissions

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907