CVE-2023-37548: 
CODESYS Development System vulnerability analysis and mitigation

CVE-2023-37548 is a security vulnerability affecting multiple Codesys products that was disclosed on August 3, 2023. The vulnerability exists in the CmpApp component where, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the component to read internally from an invalid address. This vulnerability is distinct from related issues CVE-2023-37545, CVE-2023-37546, CVE-2023-37547, CVE-2023-37549, and CVE-2023-37550 (VDE Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The attack vector is network-based, requires low attack complexity, needs low privileges, and no user interaction. The vulnerability is classified as CWE-20 (Improper Input Validation) (AttackerKB).

When successfully exploited, this vulnerability can lead to a denial-of-service condition by causing the CmpApp component to read from an invalid address. The impact primarily affects system availability, with no direct impact on confidentiality or integrity (VDE Advisory).

CODESYS GmbH recommends using the online user management system, which is enforced by default as of version 3.5.17.0. For permanent remediation, users should update to version 3.5.19.20 for products like CODESYS Control RTE, Control Win, and Development System V3, or to version 4.10.0.0 (scheduled for October 2023) for products such as Control for BeagleBone SL and other platform-specific variants (VDE Advisory).