Lucene search

GoogleOSV:CVE-2023-50294

HistoryDec 26, 2023 - 8:15 a.m.

CVE-2023-50294

2023-12-2608:15:11

Google

osv.dev

cve-2023-50294

cleartext storage

sensitive information

secret access key

external service

attacker

software

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.3 Medium

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

18.3%

JSON

The App Settings (/admin/app) page in GROWI versions prior to v6.0.6 stores sensitive information in cleartext form. As a result, the Secret access key for external service may be obtained by an attacker who can access the App Settings page.

CPENameOperatorVersion
growieq5.0.8
growieq4.5.0-slackbot-proxy.0
growieq3.2.4-RC
growieq1.5.3
growieq4.4.9
growieq1.0.0-RC6
growieq6.0.3
growieq4.5.3-slackbot-proxy.0
growieq4.4.6-slackbot-proxy.0
growieq4.4.11

Name	Operator	Version
growi	eq	5.0.8
growi	eq	4.5.0-slackbot-proxy.0
growi	eq	3.2.4-RC
growi	eq	1.5.3
growi	eq	4.4.9
growi	eq	1.0.0-RC6
growi	eq	6.0.3
growi	eq	4.5.3-slackbot-proxy.0
growi	eq	4.4.6-slackbot-proxy.0
growi	eq	4.4.11

Rows per page:

1-10 of 871

References

jvn.jp/en/jp/JVN18715935/

weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6/

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.3 Medium

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

18.3%

JSON

Related for OSV:CVE-2023-50294