CVE-2023-28901 - Vulnerability Details - OpenCVE

The Skoda Automotive cloud contains a Broken Access Control vulnerability, allowing remote attackers to obtain recent trip data, vehicle mileage, fuel consumption, average and maximum speed, and other information of Skoda Connect service users by specifying an arbitrary vehicle VIN number.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Skoda-auto	Skoda Connect

Configuration 1 [-]

cpe:2.3:a:skoda-auto:skoda_connect:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://asrg.io/security-advisories/cve-2023-28901/

History

Tue, 17 Jun 2025 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: ASRG

Published: 2024-01-18T16:27:43.711Z

Updated: 2025-06-17T21:19:20.121Z

Reserved: 2023-03-27T14:51:13.968Z

Link: CVE-2023-28901

Vulnrichment

Updated: 2024-08-02T13:51:38.996Z

NVD

Status : Modified

Published: 2024-01-18T17:15:14.003

Modified: 2024-11-21T07:56:14.760

Link: CVE-2023-28901

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-28901", "assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba", "state": "PUBLISHED", "assignerShortName": "ASRG", "dateReserved": "2023-03-27T14:51:13.968Z", "datePublished": "2024-01-18T16:27:43.711Z", "dateUpdated": "2025-06-17T21:19:20.121Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Skoda Connect", "vendor": "Skoda Auto", "versions": [{"status": "affected", "version": "0"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Anna Breeva (PCAutomotive)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The Skoda Automotive cloud contains a Broken Access Control vulnerability, allowing remote attackers to obtain recent trip data, vehicle mileage, fuel consumption, average and maximum speed, and other information of Skoda Connect service users by specifying an arbitrary vehicle VIN number."}], "value": "The Skoda Automotive cloud contains a Broken Access Control vulnerability, allowing remote attackers to obtain recent trip data, vehicle mileage, fuel consumption, average and maximum speed, and other information of Skoda Connect service users by specifying an arbitrary vehicle VIN number."}], "impacts": [{"capecId": "CAPEC-116", "descriptions": [{"lang": "en", "value": "CAPEC-116 Excavation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba", "shortName": "ASRG", "dateUpdated": "2024-01-18T16:27:43.711Z"}, "references": [{"url": "https://asrg.io/security-advisories/cve-2023-28901/"}], "source": {"discovery": "EXTERNAL"}, "title": "Trip Data Disclosure from Backend", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T13:51:38.996Z"}, "title": "CVE Program Container", "references": [{"url": "https://asrg.io/security-advisories/cve-2023-28901/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-28901", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-01-23T21:59:59.842976Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-17T21:19:20.121Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://asrg.io/security-advisories/cve-2023-28901/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T13:51:38.996Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-28901", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-01-23T21:59:59.842976Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-17T21:15:01.553Z"}}], "cna": {"title": "Trip Data Disclosure from Backend", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Anna Breeva (PCAutomotive)"}], "impacts": [{"capecId": "CAPEC-116", "descriptions": [{"lang": "en", "value": "CAPEC-116 Excavation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Skoda Auto", "product": "Skoda Connect", "versions": [{"status": "affected", "version": "0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://asrg.io/security-advisories/cve-2023-28901/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "The Skoda Automotive cloud contains a Broken Access Control vulnerability, allowing remote attackers to obtain recent trip data, vehicle mileage, fuel consumption, average and maximum speed, and other information of Skoda Connect service users by specifying an arbitrary vehicle VIN number.", "supportingMedia": [{"type": "text/html", "value": "The Skoda Automotive cloud contains a Broken Access Control vulnerability, allowing remote attackers to obtain recent trip data, vehicle mileage, fuel consumption, average and maximum speed, and other information of Skoda Connect service users by specifying an arbitrary vehicle VIN number.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba", "shortName": "ASRG", "dateUpdated": "2024-01-18T16:27:43.711Z"}}}, "cveMetadata": {"cveId": "CVE-2023-28901", "state": "PUBLISHED", "dateUpdated": "2025-06-17T21:19:20.121Z", "dateReserved": "2023-03-27T14:51:13.968Z", "assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba", "datePublished": "2024-01-18T16:27:43.711Z", "assignerShortName": "ASRG"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:skoda-auto:skoda_connect:-:*:*:*:*:*:*:*", "matchCriteriaId": "52F83D74-D8F0-4D6C-B382-6E1ECE9373AF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Skoda Automotive cloud contains a Broken Access Control vulnerability, allowing remote attackers to obtain recent trip data, vehicle mileage, fuel consumption, average and maximum speed, and other information of Skoda Connect service users by specifying an arbitrary vehicle VIN number."}, {"lang": "es", "value": "La nube de Skoda Automotive contiene una vulnerabilidad de control de acceso roto, que permite a atacantes remotos obtener datos de viajes recientes, kilometraje del veh\u00edculo, consumo de combustible, velocidad media y m\u00e1xima y otra informaci\u00f3n de los usuarios del servicio Skoda Connect especificando un n\u00famero VIN arbitrario del veh\u00edculo."}], "id": "CVE-2023-28901", "lastModified": "2024-11-21T07:56:14.760", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cve@asrg.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-18T17:15:14.003", "references": [{"source": "cve@asrg.io", "tags": ["Third Party Advisory"], "url": "https://asrg.io/security-advisories/cve-2023-28901/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://asrg.io/security-advisories/cve-2023-28901/"}], "sourceIdentifier": "cve@asrg.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "cve@asrg.io", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}