Lucene search

Fluid AttacksCVE-2023-0164

HistoryJan 18, 2023 - 10:15 p.m.

CVE-2023-0164

2023-01-1822:15:10

CWE-78

Fluid Attacks

web.nvd.nist.gov

orangescrum

cve-2023-0164

security vulnerability

command injection

nvd

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.003

Percentile

69.4%

JSON

OrangeScrum version 2.0.11 allows an authenticated external attacker to execute arbitrary commands on the server. This is possible because the application injects an attacker-controlled parameter into a system function.

Affected configurations

Nvd

Node

orangescrumorangescrumMatch2.0.11

VendorProductVersionCPE
orangescrumorangescrum2.0.11cpe:2.3:a:orangescrum:orangescrum:2.0.11:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
orangescrum	orangescrum	2.0.11	cpe:2.3:a:orangescrum:orangescrum:2.0.11:::::::*

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "OrangeScrum",
    "versions": [
      {
        "version": "2.0.11",
        "status": "affected"
      }
    ]
  }
]

References

fluidattacks.com/advisories/queen/

github.com/Orangescrum/orangescrum

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.003

Percentile

69.4%

JSON

Related for CVE-2023-0164