CVE-2023-23595

BlueCat Device Registration Portal 2.2 allows XXE attacks that exfiltrate single-line files. A single-line file might contain credentials, such as "machine example.com login daniel password qwerty" in the documentation example for the .netrc file format. NOTE: 2.x versions are no longer supported. There is no available information about whether any later version is affected.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://bluecatnetworks.com/integrations/adaptive-application/device-registration-portal-drp/	Product Vendor Advisory
https://everything.curl.dev/usingcurl/netrc	Technical Description Third Party Advisory
https://github.com/colemanjp/XXE-Vulnerability-in-Bluecat-Device-Registration-Portal-DRP	Exploit Third Party Advisory
https://bluecatnetworks.com/integrations/adaptive-application/device-registration-portal-drp/	Product Vendor Advisory
https://everything.curl.dev/usingcurl/netrc	Technical Description Third Party Advisory
https://github.com/colemanjp/XXE-Vulnerability-in-Bluecat-Device-Registration-Portal-DRP	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:bluecatnetworks:device_registration_portal:2.2:*:*:*:*:*:*:*

History

21 Nov 2024, 07:46

Type	Values Removed	Values Added
References	~~() https://bluecatnetworks.com/integrations/adaptive-application/device-registration-portal-drp/ - Product, Vendor Advisory~~	() https://bluecatnetworks.com/integrations/adaptive-application/device-registration-portal-drp/ - Product, Vendor Advisory
References	~~() https://everything.curl.dev/usingcurl/netrc - Technical Description, Third Party Advisory~~	() https://everything.curl.dev/usingcurl/netrc - Technical Description, Third Party Advisory
References	~~() https://github.com/colemanjp/XXE-Vulnerability-in-Bluecat-Device-Registration-Portal-DRP - Exploit, Third Party Advisory~~	() https://github.com/colemanjp/XXE-Vulnerability-in-Bluecat-Device-Registration-Portal-DRP - Exploit, Third Party Advisory
Summary		(es) BlueCat Device Registration Portal 2.2 permite ataques XXE que filtran archivos de una sola línea. Un archivo de una sola línea puede contener credenciales, como "machine example.com login daniel password qwerty" en el ejemplo de documentación para el formato de archivo .netrc. NOTA: Las versiones 2.x ya no son compatibles. No hay información disponible sobre si alguna versión posterior se ve afectada.

Information

Published : 2023-01-15 07:15

Updated : 2025-04-08 21:15

NVD link : CVE-2023-23595

Mitre link : CVE-2023-23595

CVE.ORG link : CVE-2023-23595

JSON object : View

Products Affected

bluecatnetworks

device_registration_portal

CWE

CWE-611

Improper Restriction of XML External Entity Reference

7.5 /10