Lucene search

GoogleOSV:CVE-2023-45808

HistoryApr 15, 2024 - 6:15 p.m.

CVE-2023-45808

2024-04-1518:15:08

Google

osv.dev

itop

service management

security

vulnerability

cve

extkey values

4.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

6.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.8%

JSON

iTop is an IT service management platform. When creating or updating an object, extkey values aren’t checked to be in the current user silo. In other words, by forging an http request, the user can create objects pointing to out of silo objects (for example a UserRequest in an out of scope Organization). Fixed in iTop 2.7.10, 3.0.4, 3.1.1, and 3.2.0.

CPENameOperatorVersion
itopeq2.7.6
itopeq2.7.0-2
itopeq2.7.9
itopeq2.7.0-alpha1
itopeq2.7.0-rc2
itopeq2.7.8
itopeq2.6.0-products
itopeq2.7.0-rc
itopeq2.6.4
itopeq2.7.3-2

Name	Operator	Version
itop	eq	2.7.6
itop	eq	2.7.0-2
itop	eq	2.7.9
itop	eq	2.7.0-alpha1
itop	eq	2.7.0-rc2
itop	eq	2.7.8
itop	eq	2.6.0-products
itop	eq	2.7.0-rc
itop	eq	2.6.4
itop	eq	2.7.3-2

Rows per page:

1-10 of 421

References

github.com/Combodo/iTop/commit/5a434486443a2cf8b8a288475aada54d0a068ca7

github.com/Combodo/iTop/commit/8f61c02cbe17badff87bff9b8ada85e783c47385

github.com/Combodo/iTop/security/advisories/GHSA-245j-66p9-pwmh

4.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

6.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.8%

JSON

Related for OSV:CVE-2023-45808