Lucene search

GitHub_MCVELIST:CVE-2023-42455

HistoryOct 09, 2023 - 4:30 p.m.

CVE-2023-42455 Wazuh vulnerable to user privilege escalation

2023-10-0916:30:28

CWE-639

GitHub_M

www.cve.org

wazuh

security detection

visibility

compliance

open source

vulnerability

user privilege escalation

cve-2023-42455

api administrator key

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

25.8%

JSON

Wazuh is a security detection, visibility, and compliance open source project. In versions 4.4.0 and 4.4.1, it is possible to get the Wazuh API administrator key used by the Dashboard using the browser development tools. This allows a logged user to the dashboard to become administrator of the API, even if their dashboard role is not. Version 4.4.2 contains a fix. There are no known workarounds.

CNA Affected

[
  {
    "vendor": "wazuh",
    "product": "wazuh-kibana-app",
    "versions": [
      {
        "version": ">= 4.4.0, < 4.4.2",
        "status": "affected"
      }
    ]
  }
]

References

github.com/wazuh/wazuh-dashboard-plugins/issues/5427

github.com/wazuh/wazuh-kibana-app/pull/5428

github.com/wazuh/wazuh-kibana-app/security/advisories/GHSA-8w7x-52r7-qvjf

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

25.8%

JSON

Related for CVELIST:CVE-2023-42455