Lucene search

[email protected]CVE-2023-43640

HistorySep 22, 2023 - 6:15 p.m.

CVE-2023-43640

2023-09-2218:15:12

CWE-89

[email protected]

web.nvd.nist.gov

taxonworks

web-based workbench

sql injection

vulnerability

cve-2023-43640

information security

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.3 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.3%

JSON

TaxonWorks is a web-based workbench designed for taxonomists and biodiversity scientists. Prior to version 0.34.0, a SQL injection vulnerability was found in TaxonWorks that allows authenticated attackers to extract arbitrary data from the TaxonWorks database (including the users table). This issue may lead to information disclosure. Version 0.34.0 contains a fix for the issue.

Affected configurations

Vulners

NVD

Node

speciesfilegrouptaxonworksRange<0.34.0

VendorProductVersionCPE
speciesfilegrouptaxonworks*cpe:2.3:a:speciesfilegroup:taxonworks:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
speciesfilegroup	taxonworks	*	cpe:2.3:a:speciesfilegroup:taxonworks::::::::

CNA Affected

[
  {
    "vendor": "SpeciesFileGroup",
    "product": "taxonworks",
    "versions": [
      {
        "version": "< 0.34.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/SpeciesFileGroup/taxonworks/commit/a98f2dc610a541678e1e51af47659cd8b30179ae

github.com/SpeciesFileGroup/taxonworks/security/advisories/GHSA-m9p2-jxr6-4p6c

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.3 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.3%

JSON

Related for CVE-2023-43640

cvelist1 osv1 prion1 nvd1