CVE-2023-3406 - Vulnerability Details - OpenCVE

Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00098.

Key SSVC decision points have not yet been added.

Vendors	Products
M-files	Classic Web

Configuration 1 [-]

OR	cpe:2.3:a:m-files:classic_web:::::lts:::*
	cpe:2.3:a:m-files:classic_web:::::-:::*
	cpe:2.3:a:m-files:classic_web:23.2:-:::lts:::*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-44073	Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server

Fixes

Solution

Update to M-Files release versions 23.6 or newer, or update to LTS versions 23.2 SR3 or newer.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://product.m-files.com/security-advisories/cve-2023-3406/
https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3406

History

Wed, 28 Aug 2024 19:30:00 +0000

Type	Values Removed	Values Added
References		https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3406

Wed, 28 Aug 2024 09:45:00 +0000

Type	Values Removed	Values Added
References	https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3406

Wed, 28 Aug 2024 08:45:00 +0000

Type	Values Removed	Values Added
References		https://product.m-files.com/security-advisories/cve-2023-3406/

MITRE

Status: PUBLISHED

Assigner: M-Files Corporation

Published: 2023-08-25T08:11:46.246Z

Updated: 2024-08-28T18:29:05.426Z

Reserved: 2023-06-26T13:29:10.505Z

Link: CVE-2023-3406

Vulnrichment

Updated: 2024-08-02T06:55:03.469Z

NVD

Status : Modified

Published: 2023-08-25T09:15:08.850

Modified: 2024-11-21T08:17:12.073

Link: CVE-2023-3406

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-3406", "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "state": "PUBLISHED", "assignerShortName": "M-Files Corporation", "dateReserved": "2023-06-26T13:29:10.505Z", "datePublished": "2023-08-25T08:11:46.246Z", "dateUpdated": "2024-08-28T18:29:05.426Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "M-Files Web", "vendor": "M-Files", "versions": [{"lessThan": "23.6.12695.3", "status": "affected", "version": "0", "versionType": "custom"}, {"status": "unaffected", "version": "23.2.12340.14"}]}], "datePublic": "2023-08-25T07:05:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server"}], "value": "Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server"}], "exploits": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "None publicly available"}], "value": "None publicly available"}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126 Path Traversal"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "shortName": "M-Files Corporation", "dateUpdated": "2024-08-28T08:25:40.141Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://product.m-files.com/security-advisories/cve-2023-3406/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to M-Files release versions 23.6 or newer, or update to LTS versions 23.2 SR3 or newer."}], "value": "Update to M-Files release versions 23.6 or newer, or update to LTS versions 23.2 SR3 or newer."}], "source": {"discovery": "INTERNAL"}, "title": "Path traversal issue in M-Files Classic Web", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:55:03.469Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3406"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-28T18:28:51.404395Z", "id": "CVE-2023-3406", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-28T18:29:05.426Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3406", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:55:03.469Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-3406", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-28T18:28:51.404395Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-28T18:29:01.040Z"}}], "cna": {"title": "Path traversal issue in M-Files Classic Web", "source": {"discovery": "INTERNAL"}, "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126 Path Traversal"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "M-Files", "product": "M-Files Web", "versions": [{"status": "affected", "version": "0", "lessThan": "23.6.12695.3", "versionType": "custom"}, {"status": "unaffected", "version": "23.2.12340.14"}], "defaultStatus": "unaffected"}], "exploits": [{"lang": "en", "value": "None publicly available", "supportingMedia": [{"type": "text/html", "value": "None publicly available", "base64": false}]}], "solutions": [{"lang": "en", "value": "Update to M-Files release versions 23.6 or newer, or update to LTS versions 23.2 SR3 or newer.", "supportingMedia": [{"type": "text/html", "value": "Update to M-Files release versions 23.6 or newer, or update to LTS versions 23.2 SR3 or newer.", "base64": false}]}], "datePublic": "2023-08-25T07:05:00.000Z", "references": [{"url": "https://product.m-files.com/security-advisories/cve-2023-3406/", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server", "supportingMedia": [{"type": "text/html", "value": "Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "shortName": "M-Files Corporation", "dateUpdated": "2024-08-28T08:25:40.141Z"}}}, "cveMetadata": {"cveId": "CVE-2023-3406", "state": "PUBLISHED", "dateUpdated": "2024-08-28T18:29:05.426Z", "dateReserved": "2023-06-26T13:29:10.505Z", "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "datePublished": "2023-08-25T08:11:46.246Z", "assignerShortName": "M-Files Corporation"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:m-files:classic_web:*:*:*:*:lts:*:*:*", "matchCriteriaId": "89B60851-49D1-40DA-A600-658BCC986BF6", "versionEndExcluding": "23.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:m-files:classic_web:*:*:*:*:-:*:*:*", "matchCriteriaId": "CE7A65F9-84AD-47E9-8C64-3585D5855FEA", "versionEndExcluding": "23.6.12695.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:m-files:classic_web:23.2:-:*:*:lts:*:*:*", "matchCriteriaId": "4E66A68C-65E6-48E9-97DD-621B4B73D975", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server"}, {"lang": "es", "value": "Un problema de path traversal en las versiones de M-Files Classic Web, el cual afecta a las versiones inferiores a 23.6.12695.3 y a las versiones de lanzamiento del servicio LTS inferiores a 23.2 LTS SR3. Esta vulnerabilidad permite a un usuario autenticado leer algunos archivos restringidos en el servidor web."}], "id": "CVE-2023-3406", "lastModified": "2024-11-21T08:17:12.073", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security@m-files.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-25T09:15:08.850", "references": [{"source": "security@m-files.com", "url": "https://product.m-files.com/security-advisories/cve-2023-3406/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3406"}], "sourceIdentifier": "security@m-files.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@m-files.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}