Lucene search

GitHub_MCVELIST:CVE-2023-45808

HistoryApr 15, 2024 - 5:28 p.m.

CVE-2023-45808 iTop missing silo check on extkey in console and portal

2024-04-1517:28:41

CWE-639

GitHub_M

www.cve.org

itop

extkey

user silo

http request

object creation

security vulnerability

4.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

4.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

JSON

iTop is an IT service management platform. When creating or updating an object, extkey values aren’t checked to be in the current user silo. In other words, by forging an http request, the user can create objects pointing to out of silo objects (for example a UserRequest in an out of scope Organization). Fixed in iTop 2.7.10, 3.0.4, 3.1.1, and 3.2.0.

CNA Affected

[
  {
    "vendor": "Combodo",
    "product": "iTop",
    "versions": [
      {
        "version": "< 2.7.10",
        "status": "affected"
      },
      {
        "version": ">= 3.0.0, < 3.0.4",
        "status": "affected"
      },
      {
        "version": ">= 3.1.0, < 3.1.1",
        "status": "affected"
      }
    ]
  }
]

References

github.com/Combodo/iTop/commit/5a434486443a2cf8b8a288475aada54d0a068ca7

github.com/Combodo/iTop/commit/8f61c02cbe17badff87bff9b8ada85e783c47385

github.com/Combodo/iTop/security/advisories/GHSA-245j-66p9-pwmh

4.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

4.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

JSON

Related for CVELIST:CVE-2023-45808