Lucene search

GitHub Advisory DatabaseGHSA-Q3HQ-HM5H-QRX3

HistoryNov 15, 2022 - 12:00 p.m.

Concrete CMS vulnerable to Cleartext Transmission of Sensitive Information

2022-11-1512:00:17

CWE-319

GitHub Advisory Database

github.com

concrete cms

sensitive information

debug mode

disclosure

server-side

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.002 Low

EPSS

Percentile

54.8%

JSON

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when Debug Mode is left on in production.

Affected configurations

Vulners

Node

concrete5concrete5Range<9.1.3

concrete5concrete5Range<8.5.10

CPENameOperatorVersion
concrete5/concrete5lt9.1.3
concrete5/concrete5lt8.5.10

CPE	Name	Operator	Version
	concrete5/concrete5	lt	9.1.3
	concrete5/concrete5	lt	8.5.10

References

documentation.concretecms.org/developers/introduction/version-history/8510-release-notes

documentation.concretecms.org/developers/introduction/version-history/913-release-notes

github.com/advisories/GHSA-q3hq-hm5h-qrx3

github.com/concretecms/concretecms/releases/8.5.10

github.com/concretecms/concretecms/releases/9.1.3

nvd.nist.gov/vuln/detail/CVE-2022-43691

www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.002 Low

EPSS

Percentile

54.8%

JSON

Related for GHSA-Q3HQ-HM5H-QRX3