CVE-2023-23841 - Vulnerability Details - OpenCVE

SolarWinds Serv-U is submitting an HTTP request when changing or updating the attributes for File Share or File request.  Part of the URL of the request discloses sensitive data.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00075.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Solarwinds Subscribe	Serv-u Subscribe

Configuration 1 [-]

cpe:2.3:a:solarwinds:serv-u:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-27927	SolarWinds Serv-U is submitting an HTTP request when changing or updating the attributes for File Share or File request.  Part of the URL of the request discloses sensitive data.

Fixes

Solution

SolarWinds recommends customers upgrade to SolarWinds Serv-U version 15.4 as soon as it becomes available. The expected release date is May 17, 2023.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/serv-u_15-4_release_notes.htm
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-23841

History

Thu, 12 Dec 2024 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: SolarWinds

Published: 2023-06-15T00:00:00

Updated: 2024-12-12T21:02:58.158Z

Reserved: 2023-01-18T00:00:00

Link: CVE-2023-23841

Vulnrichment

Updated: 2024-08-02T10:42:26.763Z

NVD

Status : Modified

Published: 2023-06-15T22:15:09.227

Modified: 2024-11-21T07:46:56.070

Link: CVE-2023-23841

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-319

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-23841", "assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6", "assignerShortName": "SolarWinds", "dateUpdated": "2024-12-12T21:02:58.158Z", "dateReserved": "2023-01-18T00:00:00", "datePublished": "2023-06-15T00:00:00"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "ServU", "vendor": "SolarWinds", "versions": [{"lessThanOrEqual": "15.3.2", "status": "affected", "version": "previous versions", "versionType": "15.4"}]}], "datePublic": "2023-05-16T17:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">SolarWinds Serv-U is submitting an HTTP request when changing or updating </span><span style=\"background-color: rgb(255, 255, 255);\">the attributes</span><span style=\"background-color: rgb(255, 255, 255);\"> for File Share or File request.\u202f Part of the URL of the request discloses sensitive data.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>\n\n"}], "value": "\nSolarWinds Serv-U is submitting an HTTP request when changing or updating the attributes for File Share or File request.\u202f Part of the URL of the request discloses sensitive data.\u00a0\n\n"}], "impacts": [{"capecId": "CAPEC-204", "descriptions": [{"lang": "en", "value": "CAPEC-204 Lifting Sensitive Data Embedded in Cache"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "CWE-319 Cleartext Transmission of Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "49f11609-934d-4621-84e6-e02e032104d6", "shortName": "SolarWinds", "dateUpdated": "2023-08-03T20:20:31.933Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-23841"}, {"tags": ["release-notes"], "url": "https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/serv-u_15-4_release_notes.htm"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "SolarWinds recommends customers upgrade to SolarWinds Serv-U version 15.4 as soon as it becomes available. The expected release date is May 17, 2023."}], "value": "SolarWinds recommends customers upgrade to SolarWinds Serv-U version 15.4 as soon as it becomes available. The expected release date is May 17, 2023."}], "source": {"discovery": "EXTERNAL"}, "title": "SolarWinds Serv-U Exposure of Sensitive Information Vulnerability ", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:42:26.763Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-23841"}, {"tags": ["release-notes", "x_transferred"], "url": "https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/serv-u_15-4_release_notes.htm"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-12T21:02:22.696382Z", "id": "CVE-2023-23841", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-12T21:02:58.158Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-23841", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/serv-u_15-4_release_notes.htm", "tags": ["release-notes", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:42:26.763Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-23841", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-12T21:02:22.696382Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-12T21:02:53.978Z"}}], "cna": {"title": "SolarWinds Serv-U Exposure of Sensitive Information Vulnerability ", "source": {"discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-204", "descriptions": [{"lang": "en", "value": "CAPEC-204 Lifting Sensitive Data Embedded in Cache"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SolarWinds", "product": "ServU", "versions": [{"status": "affected", "version": "previous versions", "versionType": "15.4", "lessThanOrEqual": "15.3.2"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "SolarWinds recommends customers upgrade to SolarWinds Serv-U version 15.4 as soon as it becomes available. The expected release date is May 17, 2023.", "supportingMedia": [{"type": "text/html", "value": "SolarWinds recommends customers upgrade to SolarWinds Serv-U version 15.4 as soon as it becomes available. The expected release date is May 17, 2023.", "base64": false}]}], "datePublic": "2023-05-16T17:00:00.000Z", "references": [{"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-23841", "tags": ["vendor-advisory"]}, {"url": "https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/serv-u_15-4_release_notes.htm", "tags": ["release-notes"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "\nSolarWinds Serv-U is submitting an HTTP request when changing or updating the attributes for File Share or File request.\u202f Part of the URL of the request discloses sensitive data.\u00a0\n\n", "supportingMedia": [{"type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">SolarWinds Serv-U is submitting an HTTP request when changing or updating </span><span style=\"background-color: rgb(255, 255, 255);\">the attributes</span><span style=\"background-color: rgb(255, 255, 255);\"> for File Share or File request.\u202f Part of the URL of the request discloses sensitive data.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>\n\n", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-319", "description": "CWE-319 Cleartext Transmission of Sensitive Information"}]}], "providerMetadata": {"orgId": "49f11609-934d-4621-84e6-e02e032104d6", "shortName": "SolarWinds", "dateUpdated": "2023-08-03T20:20:31.933Z"}}}, "cveMetadata": {"cveId": "CVE-2023-23841", "state": "PUBLISHED", "dateUpdated": "2024-12-12T21:02:58.158Z", "dateReserved": "2023-01-18T00:00:00", "assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6", "datePublished": "2023-06-15T00:00:00", "assignerShortName": "SolarWinds"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:solarwinds:serv-u:*:*:*:*:*:*:*:*", "matchCriteriaId": "61C98D46-08C2-430A-B3DC-E01F6E3F75BA", "versionEndExcluding": "15.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\nSolarWinds Serv-U is submitting an HTTP request when changing or updating the attributes for File Share or File request.\u202f Part of the URL of the request discloses sensitive data.\u00a0\n\n"}, {"lang": "es", "value": "SolarWinds Serv-U est\u00e1 enviando una solicitud HTTP al cambiar o actualizar los atributos de \"File Share\" o \"File Request?\". Parte de la URL de la solicitud revela datos confidenciales. "}], "id": "CVE-2023-23841", "lastModified": "2024-11-21T07:46:56.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "psirt@solarwinds.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-06-15T22:15:09.227", "references": [{"source": "psirt@solarwinds.com", "url": "https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/serv-u_15-4_release_notes.htm"}, {"source": "psirt@solarwinds.com", "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-23841"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/serv-u_15-4_release_notes.htm"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-23841"}], "sourceIdentifier": "psirt@solarwinds.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "psirt@solarwinds.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-319"}], "source": "nvd@nist.gov", "type": "Primary"}]}