CVE-2023-5240

Improper access control in PAM propagation scripts in Devolutions Server 2023.2.8.0 and ealier allows an attack with permission to manage PAM propagation scripts to retrieve passwords stored in it via a GET request.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://devolutions.net/security/advisories/DEVO-2023-0017	Vendor Advisory
https://devolutions.net/security/advisories/DEVO-2023-0017	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:41

Type	Values Removed	Values Added
References	~~() https://devolutions.net/security/advisories/DEVO-2023-0017 - Vendor Advisory~~	() https://devolutions.net/security/advisories/DEVO-2023-0017 - Vendor Advisory

18 Sep 2024, 08:35

Type	Values Removed	Values Added
CWE		CWE-284

Information

Published : 2023-10-13 13:15

Updated : 2024-11-21 08:41

NVD link : CVE-2023-5240

Mitre link : CVE-2023-5240

CVE.ORG link : CVE-2023-5240

JSON object : View

Products Affected

devolutions

devolutions_server

CWE

NVD-CWE-Other CWE-284

Improper Access Control

{"id": "CVE-2023-5240", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-10-13T13:15:12.693", "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2023-0017", "tags": ["Vendor Advisory"], "source": "security@devolutions.net"}, {"url": "https://devolutions.net/security/advisories/DEVO-2023-0017", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "Improper access control in PAM propagation scripts in Devolutions Server 2023.2.8.0 and ealier allows an attack with permission to manage PAM propagation scripts to retrieve passwords stored in it via a GET request.\n\n\n"}, {"lang": "es", "value": "El control de acceso inadecuado en los scripts de propagaci\u00f3n de PAM en Devolutions Server 2023.2.8.0 y anteriores permite un ataque con permiso para administrar los scripts de propagaci\u00f3n de PAM para recuperar las contrase\u00f1as almacenadas en \u00e9l mediante una solicitud GET."}], "lastModified": "2024-11-21T08:41:21.410", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "15C3CED4-3D9D-4A6C-94CE-802DF9E2C576", "versionEndIncluding": "2023.2.8.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@devolutions.net"}

7.5 /10