{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-33972", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-05-24T13:46:35.954Z", "datePublished": "2023-09-27T18:15:18.162Z", "dateUpdated": "2024-09-23T19:08:40.769Z"}, "containers": {"cna": {"title": "Privilege escalation from having CREATE access on a keyspace in Scylladb", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/scylladb/scylladb/security/advisories/GHSA-ww5v-p45p-3vhq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/scylladb/scylladb/security/advisories/GHSA-ww5v-p45p-3vhq"}], "affected": [{"vendor": "scylladb", "product": "scylladb", "versions": [{"version": "<= 5.2.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-27T18:16:04.248Z"}, "descriptions": [{"lang": "en", "value": "Scylladb is a NoSQL data store using the seastar framework, compatible with Apache Cassandra. Authenticated users who are authorized to create tables in a keyspace can escalate their privileges to access a table in the same keyspace, even if they don't have permissions for that table. This issue has not yet been patched. A workaround to address this issue is to disable CREATE privileges on a keyspace, and create new tables on behalf of other users."}], "source": {"advisory": "GHSA-ww5v-p45p-3vhq", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:54:14.148Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/scylladb/scylladb/security/advisories/GHSA-ww5v-p45p-3vhq", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/scylladb/scylladb/security/advisories/GHSA-ww5v-p45p-3vhq"}]}, {"affected": [{"vendor": "scylladb", "product": "scylladb", "cpes": ["cpe:2.3:a:scylladb:scylladb:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.2.8", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-23T18:53:24.827482Z", "id": "CVE-2023-33972", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-23T19:08:40.769Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/scylladb/scylladb/security/advisories/GHSA-ww5v-p45p-3vhq", "name": "https://github.com/scylladb/scylladb/security/advisories/GHSA-ww5v-p45p-3vhq", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:54:14.148Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-33972", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-23T18:53:24.827482Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:scylladb:scylladb:*:*:*:*:*:*:*:*"], "vendor": "scylladb", "product": "scylladb", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "5.2.8"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-23T19:08:35.633Z"}}], "cna": {"title": "Privilege escalation from having CREATE access on a keyspace in Scylladb", "source": {"advisory": "GHSA-ww5v-p45p-3vhq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "scylladb", "product": "scylladb", "versions": [{"status": "affected", "version": "<= 5.2.8"}]}], "references": [{"url": "https://github.com/scylladb/scylladb/security/advisories/GHSA-ww5v-p45p-3vhq", "name": "https://github.com/scylladb/scylladb/security/advisories/GHSA-ww5v-p45p-3vhq", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Scylladb is a NoSQL data store using the seastar framework, compatible with Apache Cassandra. Authenticated users who are authorized to create tables in a keyspace can escalate their privileges to access a table in the same keyspace, even if they don't have permissions for that table. This issue has not yet been patched. A workaround to address this issue is to disable CREATE privileges on a keyspace, and create new tables on behalf of other users."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-27T18:16:04.248Z"}}}, "cveMetadata": {"cveId": "CVE-2023-33972", "state": "PUBLISHED", "dateUpdated": "2024-09-23T19:08:40.769Z", "dateReserved": "2023-05-24T13:46:35.954Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-09-27T18:15:18.162Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:scylladb:scylladb:*:*:*:*:*:*:*:*", "matchCriteriaId": "C8162FB5-E6C6-4E6E-AEE2-7A61A2375710", "versionEndIncluding": "5.2.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Scylladb is a NoSQL data store using the seastar framework, compatible with Apache Cassandra. Authenticated users who are authorized to create tables in a keyspace can escalate their privileges to access a table in the same keyspace, even if they don't have permissions for that table. This issue has not yet been patched. A workaround to address this issue is to disable CREATE privileges on a keyspace, and create new tables on behalf of other users."}, {"lang": "es", "value": "Scylladb es un almac\u00e9n de datos NoSQL que utiliza el marco seastar, compatible con Apache Cassandra. Los usuarios autenticados que est\u00e1n autorizados a crear tablas en un espacio de claves pueden escalar sus privilegios para acceder a una tabla en el mismo espacio de claves, incluso si no tienen permisos para esa tabla. Este problema a\u00fan no se ha solucionado. Un workaround para solucionar este problema es deshabilitar los privilegios CREATE en un espacio de claves y crear nuevas tablas en nombre de otros usuarios."}], "id": "CVE-2023-33972", "lastModified": "2024-11-21T08:06:19.417", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-27T19:15:11.497", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/scylladb/scylladb/security/advisories/GHSA-ww5v-p45p-3vhq"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/scylladb/scylladb/security/advisories/GHSA-ww5v-p45p-3vhq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}