CVE-2023-3669: 
CODESYS Development System vulnerability analysis and mitigation

A missing Brute-Force protection vulnerability was identified in CODESYS Development System versions prior to 3.5.19.20. The vulnerability, tracked as CVE-2023-3669, was discovered and disclosed on August 3, 2023. This security flaw affects the password protection mechanism within an import dialog of the CODESYS Development System (CERT VDE).

The vulnerability is classified as an Improper Restriction of Excessive Authentication Attempts (CWE-307). The security issue allows unlimited password guessing attempts within an import dialog, without implementing any brute-force protection mechanisms. The vulnerability has been assigned a CVSS v3.1 Base Score of 3.3 (LOW) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (CERT VDE).

The exploitation of this vulnerability could result in a limited amount of information being obtained by a local attacker if the brute-force attack is successful. The impact is considered low due to the local access requirement and the limited scope of potentially exposed information (CERT VDE).

The recommended mitigation is to update the CODESYS Development System to version 3.5.19.20 or later. The update can be installed directly using the CODESYS Installer or downloaded from the CODESYS Store (CERT VDE).

The vulnerability was initially reported by an OEM customer and coordinated through CERT@VDE (CERT VDE).