Lucene search

PRIOn knowledge basePRION:CVE-2023-7102

HistoryDec 24, 2023 - 10:15 p.m.

Design/Logic Flaw

2023-12-2422:15:00

PRIOn knowledge base

www.prio-n.com

parameter injection

third party library

barracuda networks inc

vulnerability

nvd

logic flaw

barracuda esg appliance

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.2 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

39.9%

JSON

Use of a Third Party library produced a vulnerability in Barracuda Networks Inc. Barracuda ESG Appliance which allowed Parameter Injection.This issue affected Barracuda ESG Appliance, from 5.1.3.001 through 9.2.1.001, until Barracuda removed the vulnerable logic.

CPENameOperatorVersion
email_security_gateway_300_firmwarege5.1.3.001
email_security_gateway_300_firmwarele9.2.1.001
email_security_gateway_400_firmwarege5.1.3.001
email_security_gateway_400_firmwarele9.2.1.001
email_security_gateway_600_firmwarege5.1.3.001
email_security_gateway_600_firmwarele9.2.1.001
email_security_gateway_800_firmwarege5.1.3.001
email_security_gateway_800_firmwarele9.2.1.001
email_security_gateway_900_firmwarege5.1.3.001
email_security_gateway_900_firmwarele9.2.1.001

Name	Operator	Version
email_security_gateway_300_firmware	ge	5.1.3.001
email_security_gateway_300_firmware	le	9.2.1.001
email_security_gateway_400_firmware	ge	5.1.3.001
email_security_gateway_400_firmware	le	9.2.1.001
email_security_gateway_600_firmware	ge	5.1.3.001
email_security_gateway_600_firmware	le	9.2.1.001
email_security_gateway_800_firmware	ge	5.1.3.001
email_security_gateway_800_firmware	le	9.2.1.001
email_security_gateway_900_firmware	ge	5.1.3.001
email_security_gateway_900_firmware	le	9.2.1.001

References

github.com/haile01/perl_spreadsheet_excel_rce_poc

github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm

github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md

metacpan.org/dist/Spreadsheet-ParseExcel

www.barracuda.com/company/legal/esg-vulnerability

www.cve.org/CVERecord?id=CVE-2023-7101

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.2 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

39.9%

JSON

Related for PRION:CVE-2023-7102