Lucene search

[email protected]CVE-2023-5183

HistorySep 27, 2023 - 3:19 p.m.

CVE-2023-5183

2023-09-2715:19:42

CWE-502

[email protected]

web.nvd.nist.gov

2414

cve-2023-5183

json

deserialization

code execution

illumio pce

vulnerability

network_traffic api

operating system

user

nvd

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

8.9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.6%

JSON

Unsafe deserialization of untrusted JSON allows execution of arbitrary code on affected releases of the Illumio PCE. Authentication to the API is required to exploit this vulnerability. The flaw exists within the network_traffic API endpoint. An attacker can leverage this vulnerability to execute code in the context of the PCE’s operating system user.

Affected configurations

NVD

Node

illumiocore_policy_compute_engineRange<19.3.7

illumiocore_policy_compute_engineRange21.2.0–21.2.8

illumiocore_policy_compute_engineRange21.5.0–21.5.36

illumiocore_policy_compute_engineRange22.2.0–22.2.42

illumiocore_policy_compute_engineRange22.5.0–22.5.31

illumiocore_policy_compute_engineRange23.2.0–23.2.11

CPENameOperatorVersion
illumio:core_policy_compute_engineillumio core policy compute enginelt19.3.7
illumio:core_policy_compute_engineillumio core policy compute enginelt21.2.8
illumio:core_policy_compute_engineillumio core policy compute enginelt21.5.36
illumio:core_policy_compute_engineillumio core policy compute enginelt22.2.42
illumio:core_policy_compute_engineillumio core policy compute enginelt22.5.31
illumio:core_policy_compute_engineillumio core policy compute enginelt23.2.11

CPE	Name	Operator	Version
illumio:core_policy_compute_engine	illumio core policy compute engine	lt	19.3.7
illumio:core_policy_compute_engine	illumio core policy compute engine	lt	21.2.8
illumio:core_policy_compute_engine	illumio core policy compute engine	lt	21.5.36
illumio:core_policy_compute_engine	illumio core policy compute engine	lt	22.2.42
illumio:core_policy_compute_engine	illumio core policy compute engine	lt	22.5.31
illumio:core_policy_compute_engine	illumio core policy compute engine	lt	23.2.11

CNA Affected

[
  {
    "defaultStatus": "affected",
    "modules": [
      "PCE"
    ],
    "platforms": [
      "Linux"
    ],
    "product": "Core PCE",
    "vendor": "Illumio",
    "versions": [
      {
        "lessThanOrEqual": "19.3.6",
        "status": "affected",
        "version": "19.3.0",
        "versionType": "release train"
      },
      {
        "lessThanOrEqual": "21.2.7",
        "status": "affected",
        "version": "21.2.0",
        "versionType": "release train"
      },
      {
        "lessThanOrEqual": "21.5.35",
        "status": "affected",
        "version": "21.5.0",
        "versionType": "release train"
      },
      {
        "lessThanOrEqual": "22.2.41",
        "status": "affected",
        "version": "22.2.0",
        "versionType": "release train"
      },
      {
        "lessThanOrEqual": "22.5.30",
        "status": "affected",
        "version": "22.5.0",
        "versionType": "release train"
      },
      {
        "lessThanOrEqual": "23.2.10",
        "status": "affected",
        "version": "23.2.0",
        "versionType": "release train"
      }
    ]
  }
]

References

docs.illumio.com/Guides/security-advisories/september-2023/cve-2023-5183.htm

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

8.9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.6%

JSON

Related for CVE-2023-5183

cvelist1 prion1 nvd1