Skip to main content

CVE-2023-25189
Nokia BTS service operation log information disclosure for network operator administrators

Public disclosure

16-09-2024

Last updated

16-09-2024

Vulnerability type

Nokia BTS service operation log information disclosure

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

CVSS score

3.3

Description

BTS is affected by information disclosure vulnerability where mobile network operator personnel connected over BTS Web Element Manager, regardless of the his access privileges, having a possibility to read BTS service operation details performed by Nokia Care service personnel via SSH.

Affected products and versions

Product

Versions

Nokia ASIKA Airscale

All Nokia SRAN SW Releases

Mitigation plan

Fix has been provided from Nokia Single RAN 24R1 onwards.

 

Acknowledgements

  • Lena David from Synacktiv
  • Geoffrey Bertoli from Synacktiv

References

Change history : Initial version is published on 16-09-2024