Lucene search

SNPSCVELIST:CVE-2023-1663

HistoryMar 29, 2023 - 1:16 p.m.

CVE-2023-1663 Authenticated Resources Accessible via Forced Browsing

2023-03-2913:16:40

CWE-425

SNPS

www.cve.org

coverity

vulnerable

forced browsing

unauthorized actors

insecurely configured

servlet mapping

apache tomcat

downloads directory

cvss

risk level

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

0.001 Low

EPSS

Percentile

29.8%

JSON

Coverity versions prior to 2023.3.2 are vulnerable to forced browsing, which exposes authenticated resources to unauthorized actors. The root cause of this vulnerability is an insecurely configured servlet mapping for the underlying Apache Tomcat server. As a result, the downloads directory and its contents are accessible. 5.9 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:P/RL:O/RC:C)

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Coverity",
    "vendor": "Synopsys",
    "versions": [
      {
        "lessThanOrEqual": "2023.3.1",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

References

community.synopsys.com/s/article/Mitigation-for-Coverity-Platforms-Exposure-to-CVE-2023-1663

community.synopsys.com/s/article/SIG-Product-Security-Advisory-CVE-2023-1663-Affecting-Coverity-Platform

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

0.001 Low

EPSS

Percentile

29.8%

JSON

Related for CVELIST:CVE-2023-1663