CVE-2023-2418 - OpenCVE

A vulnerability was found in Konga 2.8.3 on Kong. It has been classified as problematic. This affects an unknown part of the component Login API. The manipulation leads to insufficiently random values. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. The associated identifier of this vulnerability is VDB-227715.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Adjacent Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:A/AC:H/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Konghq	Kong

Configuration 1 [-]

cpe:2.3:a:konghq:kong:2.8.3:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/advisories/GHSA-9g4c-xm3g-f8hq
https://vuldb.com/?ctiid.227715
https://vuldb.com/?id.227715
https://www.cnblogs.com/andao/p/17330864.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2023-04-29T00:31:04.842Z

Updated: 2024-08-02T06:19:15.079Z

Reserved: 2023-04-28T16:52:40.949Z

Link: CVE-2023-2418

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-04-29T01:15:08.980

Modified: 2024-05-17T02:22:58.070

Link: CVE-2023-2418

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-2418", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2023-04-28T16:52:40.949Z", "datePublished": "2023-04-29T00:31:04.842Z", "dateUpdated": "2024-08-02T06:19:15.079Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2024-02-13T07:22:36.018Z"}, "title": "Konga Login API random values", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-330", "lang": "en", "description": "CWE-330 Insufficiently Random Values"}]}], "affected": [{"vendor": "n/a", "product": "Konga", "versions": [{"version": "2.8.3", "status": "affected"}], "modules": ["Login API"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Konga 2.8.3 on Kong. It has been classified as problematic. This affects an unknown part of the component Login API. The manipulation leads to insufficiently random values. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. The associated identifier of this vulnerability is VDB-227715."}, {"lang": "de", "value": "Es wurde eine Schwachstelle in Konga 2.8.3 f\u00fcr Kong ausgemacht. Sie wurde als problematisch eingestuft. Es betrifft eine unbekannte Funktion der Komponente Login API. Durch Manipulation mit unbekannten Daten kann eine insufficiently random values-Schwachstelle ausgenutzt werden. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie ist schwierig auszunutzen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Als bestm\u00f6gliche Massnahme werden Anpassungen an der Konfiguration empfohlen."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 3.1, "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.1, "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.8, "vectorString": "AV:A/AC:H/Au:N/C:P/I:N/A:N"}}], "timeline": [{"time": "2023-04-28T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2023-04-28T00:00:00.000Z", "lang": "en", "value": "CVE reserved"}, {"time": "2023-04-28T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2023-05-24T08:37:31.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "the_whovian (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.227715", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.227715", "tags": ["signature", "permissions-required"]}, {"url": "https://www.cnblogs.com/andao/p/17330864.html", "tags": ["broken-link", "exploit"]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:19:15.079Z"}, "title": "CVE Program Container", "references": [{"url": "https://vuldb.com/?id.227715", "tags": ["vdb-entry", "technical-description", "x_transferred"]}, {"url": "https://vuldb.com/?ctiid.227715", "tags": ["signature", "permissions-required", "x_transferred"]}, {"url": "https://www.cnblogs.com/andao/p/17330864.html", "tags": ["broken-link", "exploit", "x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:konghq:kong:2.8.3:*:*:*:*:*:*:*", "matchCriteriaId": "617BECC9-676B-496E-9BE5-61DE5555543B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Konga 2.8.3 on Kong. It has been classified as problematic. This affects an unknown part of the component Login API. The manipulation leads to insufficiently random values. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. The associated identifier of this vulnerability is VDB-227715."}], "id": "CVE-2023-2418", "lastModified": "2024-05-17T02:22:58.070", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 1.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:A/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.2, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2023-04-29T01:15:08.980", "references": [{"source": "nvd@nist.gov", "tags": ["Third Party Advisory"], "url": "https://github.com/advisories/GHSA-9g4c-xm3g-f8hq"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required"], "url": "https://vuldb.com/?ctiid.227715"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required"], "url": "https://vuldb.com/?id.227715"}, {"source": "cna@vuldb.com", "tags": ["Broken Link"], "url": "https://www.cnblogs.com/andao/p/17330864.html"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-330"}], "source": "cna@vuldb.com", "type": "Primary"}]}