CVE-2023-23841 - OpenCVE

SolarWinds Serv-U is submitting an HTTP request when changing or updating the attributes for File Share or File request.  Part of the URL of the request discloses sensitive data.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Solarwinds	Serv-u

Configuration 1 [-]

cpe:2.3:a:solarwinds:serv-u:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/serv-u_15-4_release_notes.htm
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-23841

History

No history.

MITRE

Status: PUBLISHED

Assigner: SolarWinds

Published: 2023-06-15T00:00:00

Updated: 2024-08-02T10:42:26.763Z

Reserved: 2023-01-18T00:00:00

Link: CVE-2023-23841

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-06-15T22:15:09.227

Modified: 2023-11-07T04:08:00.847

Link: CVE-2023-23841

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-23841", "assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6", "assignerShortName": "SolarWinds", "dateUpdated": "2024-08-02T10:42:26.763Z", "dateReserved": "2023-01-18T00:00:00", "datePublished": "2023-06-15T00:00:00"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "ServU", "vendor": "SolarWinds", "versions": [{"lessThanOrEqual": "15.3.2", "status": "affected", "version": "previous versions", "versionType": "15.4"}]}], "datePublic": "2023-05-16T17:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">SolarWinds Serv-U is submitting an HTTP request when changing or updating </span><span style=\"background-color: rgb(255, 255, 255);\">the attributes</span><span style=\"background-color: rgb(255, 255, 255);\"> for File Share or File request.\u202f Part of the URL of the request discloses sensitive data.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>\n\n"}], "value": "\nSolarWinds Serv-U is submitting an HTTP request when changing or updating the attributes for File Share or File request.\u202f Part of the URL of the request discloses sensitive data.\u00a0\n\n"}], "impacts": [{"capecId": "CAPEC-204", "descriptions": [{"lang": "en", "value": "CAPEC-204 Lifting Sensitive Data Embedded in Cache"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "CWE-319 Cleartext Transmission of Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "49f11609-934d-4621-84e6-e02e032104d6", "shortName": "SolarWinds", "dateUpdated": "2023-08-03T20:20:31.933Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-23841"}, {"tags": ["release-notes"], "url": "https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/serv-u_15-4_release_notes.htm"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "SolarWinds recommends customers upgrade to SolarWinds Serv-U version 15.4 as soon as it becomes available. The expected release date is May 17, 2023."}], "value": "SolarWinds recommends customers upgrade to SolarWinds Serv-U version 15.4 as soon as it becomes available. The expected release date is May 17, 2023."}], "source": {"discovery": "EXTERNAL"}, "title": "SolarWinds Serv-U Exposure of Sensitive Information Vulnerability ", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:42:26.763Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-23841"}, {"tags": ["release-notes", "x_transferred"], "url": "https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/serv-u_15-4_release_notes.htm"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:solarwinds:serv-u:*:*:*:*:*:*:*:*", "matchCriteriaId": "61C98D46-08C2-430A-B3DC-E01F6E3F75BA", "versionEndExcluding": "15.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "\nSolarWinds Serv-U is submitting an HTTP request when changing or updating the attributes for File Share or File request.\u202f Part of the URL of the request discloses sensitive data.\u00a0\n\n"}, {"lang": "es", "value": "SolarWinds Serv-U est\u00e1 enviando una solicitud HTTP al cambiar o actualizar los atributos de \"File Share\" o \"File Request?\". Parte de la URL de la solicitud revela datos confidenciales. "}], "id": "CVE-2023-23841", "lastModified": "2023-11-07T04:08:00.847", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "psirt@solarwinds.com", "type": "Secondary"}]}, "published": "2023-06-15T22:15:09.227", "references": [{"source": "psirt@solarwinds.com", "url": "https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/serv-u_15-4_release_notes.htm"}, {"source": "psirt@solarwinds.com", "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-23841"}], "sourceIdentifier": "psirt@solarwinds.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-319"}], "source": "psirt@solarwinds.com", "type": "Secondary"}]}