Lucene search

[email protected]NVD:CVE-2023-42419

HistoryMar 05, 2024 - 6:15 a.m.

CVE-2023-42419

2024-03-0506:15:52

[email protected]

web.nvd.nist.gov

maintenance server

china edition

private cryptographic key

administrative privileges

air-gapped server

command execution

CVSS3

3.8

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

AI Score

4.3

Confidence

High

EPSS

Percentile

9.0%

JSON

Maintenance Server, in Cybellum’s QCOW air-gapped distribution (China Edition), versions 2.15.5 through 2.27, was compiled with a hard-coded private cryptographic key.

An attacker with administrative privileges & access to the air-gapped server could potentially use this key to run commands on the server.
The issue was resolved in version 2.28.
Earlier versions, including all Cybellum 1.x versions, and distributions for the rest of the world remain unaffected.

References

cybellum.com/

CVSS3

3.8

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

AI Score

4.3

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for NVD:CVE-2023-42419

cvelist1 cve1 prion1 vulnrichment1