Lucene search

[email protected]NVD:CVE-2023-45152

HistoryOct 17, 2023 - 12:15 a.m.

CVE-2023-45152

2023-10-1700:15:11

CWE-918

[email protected]

web.nvd.nist.gov

cve-2023-45152

engelsystem

shift planning

ssrf

import schedule

port scan

vulnerability

commit ee7d30b33

patch

operators

http services

localhost

additional authentication

2.3 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

3.5 Low

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Engelsystem is a shift planning system for chaos events. A Blind SSRF in the “Import schedule” functionality makes it possible to perform a port scan against the local environment. This vulnerability has been fixed in commit ee7d30b33. If a patch cannot be deployed, operators should ensure that no HTTP(s) services listen on localhost and/or systems only reachable from the host running the engelsystem software. If such services are necessary, they should utilize additional authentication.

Affected configurations

NVD

Node

engelsystemengelsystemRange<2023-09-18

References

github.com/engelsystem/engelsystem/commit/ee7d30b33935ea001705f438fec8ffd05734f295

github.com/engelsystem/engelsystem/security/advisories/GHSA-jj9g-75wf-6ppf

2.3 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

3.5 Low

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for NVD:CVE-2023-45152

osv1 prion1 cvelist1 cve1