CVE-2023-25074 - OpenCVE

Improper privilege validation in Command Centre Server allows authenticated unprivileged operators to modify and view Competencies. This issue affects Command Centre: vEL8.90 prior to vEL8.90.1318 (MR1), vEL8.80 prior to vEL8.80.1192 (MR2), vEL8.70 prior to vEL8.70.2185 (MR4), vEL8.60 prior to vEL8.60.2347 (MR6), vEL8.50 prior to vEL8.50.2831 (MR8), all versions vEL8.40 and prior.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Gallagher	Command Centre

Configuration 1 [-]

OR	cpe:2.3:a:gallagher:command_centre::::::::
	cpe:2.3:a:gallagher:command_centre::::::::
	cpe:2.3:a:gallagher:command_centre::::::::
	cpe:2.3:a:gallagher:command_centre::::::::
	cpe:2.3:a:gallagher:command_centre::::::::
	cpe:2.3:a:gallagher:command_centre::::::::

No data.

References

Link	Providers
https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2023-25074

History

No history.

MITRE

Status: PUBLISHED

Assigner: Gallagher

Published: 2023-07-24T23:05:24.657Z

Updated: 2024-08-02T11:11:44.252Z

Reserved: 2023-02-03T20:38:05.215Z

Link: CVE-2023-25074

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-07-25T00:15:09.637

Modified: 2023-08-01T19:47:47.580

Link: CVE-2023-25074

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-25074", "assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc", "state": "PUBLISHED", "assignerShortName": "Gallagher", "dateReserved": "2023-02-03T20:38:05.215Z", "datePublished": "2023-07-24T23:05:24.657Z", "dateUpdated": "2024-08-02T11:11:44.252Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc", "shortName": "Gallagher", "dateUpdated": "2023-07-27T05:39:07.574Z"}, "title": "Competency access levels not enforced in the server", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-285", "description": "CWE-285 Improper Authorization", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-122", "descriptions": [{"lang": "en", "value": "CAPEC-122 Privilege Abuse"}]}], "affected": [{"vendor": "Gallagher", "product": "Command Centre", "versions": [{"status": "affected", "version": "vEL8.40"}, {"status": "affected", "version": "vEL8.50", "lessThan": "2831", "versionType": "custom"}, {"status": "affected", "version": "vEL8.60", "lessThan": "2347", "versionType": "custom"}, {"status": "affected", "version": "vEL8.70", "lessThan": "2185", "versionType": "custom"}, {"status": "affected", "version": "vEL8.80", "lessThan": "1192", "versionType": "custom"}, {"status": "affected", "version": "vEL8.90", "lessThan": "1318", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "\nImproper privilege validation in Command Centre Server allows authenticated unprivileged operators to modify and view Competencies.\n\n\n\n\n\n\nThis issue affects Command Centre: vEL8.90 prior to vEL8.90.1318 (MR1), vEL8.80 prior to vEL8.80.1192 (MR2), vEL8.70 prior to vEL8.70.2185 (MR4), \n\nvEL8.60 prior to vEL8.60.2347 (MR6),\n\nvEL8.50 prior to vEL8.50.2831 (MR8), all versions vEL8.40 and prior.\n\n\n", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>\n\n<span style=\"background-color: rgb(255, 255, 255);\">Improper privilege validation in Command Centre Server allows authenticated unprivileged operators to modify and view Competencies.</span>\n\n<br></p><p>\n\nThis issue affects Command Centre: vEL8.90 prior to vEL8.90.1318 (MR1), vEL8.80 prior to vEL8.80.1192 (MR2), vEL8.70 prior to vEL8.70.2185 (MR4), \n\n<span style=\"background-color: rgb(255, 255, 255);\">vEL8.60 prior to vEL8.60.2347 (MR6),</span>\n\nvEL8.50 prior to vEL8.50.2831 (MR8), all versions vEL8.40 and prior.<br></p>"}]}], "references": [{"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2023-25074"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW", "baseSeverity": "HIGH", "baseScore": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"}}], "source": {"discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:11:44.252Z"}, "title": "CVE Program Container", "references": [{"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2023-25074", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*", "matchCriteriaId": "E51DC51C-E4D6-4C8D-8235-10258F79A6C5", "versionEndIncluding": "8.40.2216", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*", "matchCriteriaId": "B23146CE-CE9D-4850-8169-D0C168A3D037", "versionEndExcluding": "8.50.2831", "versionStartIncluding": "8.50", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*", "matchCriteriaId": "12131674-A0E9-4A12-BA87-C9207DA8C34C", "versionEndExcluding": "8.60.2347", "versionStartIncluding": "8.60", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*", "matchCriteriaId": "CE1E36DB-F15E-449A-A672-4853D31CE064", "versionEndExcluding": "8.70.2185", "versionStartIncluding": "8.70", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*", "matchCriteriaId": "92A438BA-DC52-4253-B5B6-4BE8CD7A1CCA", "versionEndExcluding": "8.80.1192", "versionStartIncluding": "8.80", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*", "matchCriteriaId": "110D9A0C-409D-4B1F-84B6-274B15D87CA3", "versionEndExcluding": "8.90.1318", "versionStartIncluding": "8.90", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "\nImproper privilege validation in Command Centre Server allows authenticated unprivileged operators to modify and view Competencies.\n\n\n\n\n\n\nThis issue affects Command Centre: vEL8.90 prior to vEL8.90.1318 (MR1), vEL8.80 prior to vEL8.80.1192 (MR2), vEL8.70 prior to vEL8.70.2185 (MR4), \n\nvEL8.60 prior to vEL8.60.2347 (MR6),\n\nvEL8.50 prior to vEL8.50.2831 (MR8), all versions vEL8.40 and prior.\n\n\n"}], "id": "CVE-2023-25074", "lastModified": "2023-08-01T19:47:47.580", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "disclosures@gallagher.com", "type": "Secondary"}]}, "published": "2023-07-25T00:15:09.637", "references": [{"source": "disclosures@gallagher.com", "tags": ["Vendor Advisory"], "url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2023-25074"}], "sourceIdentifier": "disclosures@gallagher.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-285"}], "source": "disclosures@gallagher.com", "type": "Secondary"}]}