汇总 bd 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
常见弱点模式包括 SQL 注入、跨站脚本与输入验证问题,在 生产负载与软件部署 使用场景中可能带来 会话劫持、数据泄露与异常行为 等风险。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2023-29066 | The FACSChorus software does not properly assign data access privileges for operating system user accounts. A non-administrative OS account can modify information stored in the local application data folders. | [email protected] | 3.2 | 0.04% | 2023-11-28 | 2024-11-21 |
| CVE-2023-29065 | The FACSChorus software database can be accessed directly with the privileges of the currently logged-in user. A threat actor with physical access could potentially gain credentials, which could be used to alter or destroy data stored in the database. | [email protected] | 4.1 | 0.04% | 2023-11-28 | 2024-11-21 |
| CVE-2023-29064 | The FACSChorus software contains sensitive information stored in plaintext. A threat actor could gain hardcoded secrets used by the application, which include tokens and passwords for administrative accounts. | [email protected] | 4.1 | 0.04% | 2023-11-28 | 2024-11-21 |
| CVE-2023-29063 | The FACSChorus workstation does not prevent physical access to its PCI express (PCIe) slots, which could allow a threat actor to insert a PCI card designed for memory capture. A threat actor can then isolate sensitive information such as a BitLocker encryption key from a dump of the workstation RAM during startup. | [email protected] | 2.4 | 0.07% | 2023-11-28 | 2024-11-21 |
| CVE-2023-29062 | The Operating System hosting the FACSChorus application is configured to allow transmission of hashed user credentials upon user action without adequately validating the identity of the requested resource. This is possible through the use of LLMNR, MBT-NS, or MDNS and will result in NTLMv2 hashes being sent to a malicious entity position on the local network. These hashes can subsequently be attacked through brute force and cracked if a weak password is used. This attack would only apply to doma | [email protected] | 3.8 | 0.06% | 2023-11-28 | 2024-11-21 |
| CVE-2023-29061 | There is no BIOS password on the FACSChorus workstation. A threat actor with physical access to the workstation can potentially exploit this vulnerability to access the BIOS configuration and modify the drive boot order and BIOS pre-boot authentication. | [email protected] | 5.2 | 0.03% | 2023-11-28 | 2024-11-21 |
| CVE-2023-29060 | The FACSChorus workstation operating system does not restrict what devices can interact with its USB ports. If exploited, a threat actor with physical access to the workstation could gain access to system information and potentially exfiltrate data. | [email protected] | 5.4 | 0.05% | 2023-11-28 | 2024-11-21 |
| CVE-2023-30565 | An insecure connection between Systems Manager and CQI Reporter application could expose infusion data to an attacker. | [email protected] | 3.5 | 0.12% | 2023-07-13 | 2024-11-21 |
| CVE-2023-30564 | Alaris Systems Manager does not perform input validation during the Device Import Function. | [email protected] | 6.9 | 0.11% | 2023-07-13 | 2024-11-21 |
| CVE-2023-30563 | A malicious file could be uploaded into a System Manager User Import Function resulting in a hijacked session. | [email protected] | 8.2 | 0.60% | 2023-07-13 | 2024-11-21 |
| CVE-2023-30562 | A GRE dataset file within Systems Manager can be tampered with and distributed to PCUs. | [email protected] | 6.7 | 0.06% | 2023-07-13 | 2024-11-21 |
| CVE-2023-30561 | The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running. | [email protected] | 6.1 | 0.05% | 2023-07-13 | 2024-11-21 |
| CVE-2023-30560 | The configuration from the PCU can be modified without authentication using physical connection to the PCU. | [email protected] | 6.8 | 0.10% | 2023-07-13 | 2024-11-21 |
| CVE-2023-30559 | The firmware update package for the wireless card is not properly signed and can be modified. | [email protected] | 5.2 | 0.07% | 2023-07-13 | 2024-11-21 |
| CVE-2022-47376 | The Alaris Infusion Central software, versions 1.1 to 1.3.2, may contain a recoverable password after the installation. No patient health data is stored in the database, although some site installations may choose to store personal data. | [email protected] | 7.3 | 0.03% | 2023-06-13 | 2025-01-03 |
| CVE-2022-43557 | The BD BodyGuard™ infusion pumps specified allow for access through the RS-232 (serial) port interface. If exploited, threat actors with physical access, specialized equipment and knowledge may be able to configure or disable the pump. No electronic protected health information (ePHI), protected health information (PHI) or personally identifiable information (PII) is stored in the pump. | [email protected] | 5.3 | 0.11% | 2022-12-05 | 2024-11-21 |
| CVE-2022-40263 | BD Totalys MultiProcessor, versions 1.70 and earlier, contain hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). Customers using BD Totalys MultiProcessor version 1.70 with Microsoft Windows 10 have additional operating system hardening configurations which increase the attack complexity required | [email protected] | 6.6 | 0.04% | 2022-11-04 | 2024-11-21 |
| CVE-2022-30277 | BD Synapsys™, versions 4.20, 4.20 SR1, and 4.30, contain an insufficient session expiration vulnerability. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). | [email protected] | 5.7 | 0.04% | 2022-06-02 | 2024-11-21 |
| CVE-2022-22767 | Specific BD Pyxis™ products were installed with default credentials and may presently still operate with these credentials. There may be scenarios where BD Pyxis™ products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. If exploited, threat actors may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to ePHI or other sensitive informati | [email protected] | 8.8 | 0.23% | 2022-06-02 | 2024-11-21 |
| CVE-2022-22765 | BD Viper LT system, versions 2.0 and later, contains hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). BD Viper LT system versions 4.0 and later utilize Microsoft Windows 10 and have additional Operating System hardening configurations which increase the attack complexity required to exploit thi | [email protected] | 8.0 | 0.09% | 2022-02-12 | 2024-11-21 |