Lucene search

[email protected]NVD:CVE-2023-45808

HistoryApr 15, 2024 - 6:15 p.m.

CVE-2023-45808

2024-04-1518:15:08

CWE-639

[email protected]

web.nvd.nist.gov

cve-2023-45808

object creation

user silo

http request

security patch

itop 2.7.10

itop 3.0.4

itop 3.1.1

itop 3.2.0

4.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

4.4 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

JSON

iTop is an IT service management platform. When creating or updating an object, extkey values aren’t checked to be in the current user silo. In other words, by forging an http request, the user can create objects pointing to out of silo objects (for example a UserRequest in an out of scope Organization). Fixed in iTop 2.7.10, 3.0.4, 3.1.1, and 3.2.0.

References

github.com/Combodo/iTop/commit/5a434486443a2cf8b8a288475aada54d0a068ca7

github.com/Combodo/iTop/commit/8f61c02cbe17badff87bff9b8ada85e783c47385

github.com/Combodo/iTop/security/advisories/GHSA-245j-66p9-pwmh

4.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

4.4 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

JSON

Related for NVD:CVE-2023-45808

cvelist1 vulnrichment1 cve1 osv1