Lucene search

[email protected]NVD:CVE-2023-2158

HistoryApr 27, 2023 - 6:15 p.m.

CVE-2023-2158

2023-04-2718:15:13

CWE-798

CWE-321

[email protected]

web.nvd.nist.gov

code dx

user impersonation attack

remember me token

hard-coded cipher

account access

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.002

Percentile

54.1%

JSON

Code Dx versions prior to 2023.4.2 are vulnerable to user impersonation attack where a malicious actor is able to gain access to another user’s account by crafting a custom “Remember Me” token. This is possible due to the use of a hard-coded cipher which was used when generating the token. A malicious actor who creates this token can supply it to a separate Code Dx system, provided they know the username they want to impersonate, and impersonate the user. Score 6.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C

Affected configurations

Nvd

Node

synopsyscode_dxRange<2023.4.2

VendorProductVersionCPE
synopsyscode_dx*cpe:2.3:a:synopsys:code_dx:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
synopsys	code_dx	*	cpe:2.3:a:synopsys:code_dx::::::::

References

community.synopsys.com/s/question/0D5Hr00006VdZblKAF/announcement-changelog-code-dx-202342

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.002

Percentile

54.1%

JSON

Related for NVD:CVE-2023-2158

prion1 cvelist1 cve1