CVE-2023-31143 - OpenCVE

mage-ai is an open-source data pipeline tool for transforming and integrating data. Those who use Mage starting in version 0.8.34 and prior to 0.8.72 with user authentication enabled may be affected by a vulnerability. The terminal could be accessed by users who are not signed in or do not have editor permissions. Version 0.8.72 contains a fix for this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mage	Mage-ai

Configuration 1 [-]

cpe:2.3:a:mage:mage-ai:*:*:*:*:*:python:*:*

No data.

References

Link	Providers
https://github.com/mage-ai/mage-ai/commit/f63cd00f6a3be372397d37a4c9a49bfaf50d7650
https://github.com/mage-ai/mage-ai/security/advisories/GHSA-c6mm-2g84-v4m7

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-05-09T14:59:42.330Z

Updated: 2024-08-02T14:45:25.801Z

Reserved: 2023-04-24T21:44:10.417Z

Link: CVE-2023-31143

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-05-09T15:15:10.303

Modified: 2023-05-16T16:56:16.440

Link: CVE-2023-31143

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-31143", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-04-24T21:44:10.417Z", "datePublished": "2023-05-09T14:59:42.330Z", "dateUpdated": "2024-08-02T14:45:25.801Z"}, "containers": {"cna": {"title": "Mage terminal user authentication not working properly", "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/mage-ai/mage-ai/security/advisories/GHSA-c6mm-2g84-v4m7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mage-ai/mage-ai/security/advisories/GHSA-c6mm-2g84-v4m7"}, {"name": "https://github.com/mage-ai/mage-ai/commit/f63cd00f6a3be372397d37a4c9a49bfaf50d7650", "tags": ["x_refsource_MISC"], "url": "https://github.com/mage-ai/mage-ai/commit/f63cd00f6a3be372397d37a4c9a49bfaf50d7650"}], "affected": [{"vendor": "mage-ai", "product": "mage-ai", "versions": [{"version": ">= 0.8.34, < 0.8.72", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-05-09T14:59:42.330Z"}, "descriptions": [{"lang": "en", "value": "mage-ai is an open-source data pipeline tool for transforming and integrating data. Those who use Mage starting in version 0.8.34 and prior to 0.8.72 with user authentication enabled may be affected by a vulnerability. The terminal could be accessed by users who are not signed in or do not have editor permissions. Version 0.8.72 contains a fix for this issue."}], "source": {"advisory": "GHSA-c6mm-2g84-v4m7", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:45:25.801Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/mage-ai/mage-ai/security/advisories/GHSA-c6mm-2g84-v4m7", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/mage-ai/mage-ai/security/advisories/GHSA-c6mm-2g84-v4m7"}, {"name": "https://github.com/mage-ai/mage-ai/commit/f63cd00f6a3be372397d37a4c9a49bfaf50d7650", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mage-ai/mage-ai/commit/f63cd00f6a3be372397d37a4c9a49bfaf50d7650"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mage:mage-ai:*:*:*:*:*:python:*:*", "matchCriteriaId": "ADC4138D-0C19-4231-AB14-FBF575748E57", "versionEndExcluding": "0.8.72", "versionStartIncluding": "0.8.34", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "mage-ai is an open-source data pipeline tool for transforming and integrating data. Those who use Mage starting in version 0.8.34 and prior to 0.8.72 with user authentication enabled may be affected by a vulnerability. The terminal could be accessed by users who are not signed in or do not have editor permissions. Version 0.8.72 contains a fix for this issue."}], "id": "CVE-2023-31143", "lastModified": "2023-05-16T16:56:16.440", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-05-09T15:15:10.303", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/mage-ai/mage-ai/commit/f63cd00f6a3be372397d37a4c9a49bfaf50d7650"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/mage-ai/mage-ai/security/advisories/GHSA-c6mm-2g84-v4m7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security-advisories@github.com", "type": "Primary"}]}