CVE-2023-3425 - Vulnerability Details - OpenCVE

Out-of-bounds read issue in M-Files Server versions below 23.8.12892.6 and LTS Service Release Versions before 23.2 LTS SR3 allows unauthenticated user to read restricted amount of bytes from memory.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00128.

Key SSVC decision points have not yet been added.

Vendors	Products
M-files	Classic Web

Configuration 1 [-]

OR	cpe:2.3:a:m-files:classic_web:::::lts:::*
	cpe:2.3:a:m-files:classic_web:::::-:::*
	cpe:2.3:a:m-files:classic_web:23.2:-:::lts:::*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-44091	Out-of-bounds read issue in M-Files Server versions below 23.8.12892.6 and LTS Service Release Versions before 23.2 LTS SR3 allows unauthenticated user to read restricted amount of bytes from memory.

Fixes

Solution

Update to M-Files release versions 23.8 or newer, or update to LTS versions 23.2 SR3 or newer

Workaround

No workaround given by the vendor.

References

Link	Providers
https://product.m-files.com/security-advisories/cve-2023-3425/
https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3425

History

Wed, 28 Aug 2024 19:30:00 +0000

Type	Values Removed	Values Added
References		https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3425

Wed, 28 Aug 2024 09:45:00 +0000

Type	Values Removed	Values Added
References	https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3425

Wed, 28 Aug 2024 08:45:00 +0000

Type	Values Removed	Values Added
References		https://product.m-files.com/security-advisories/cve-2023-3425/

MITRE

Status: PUBLISHED

Assigner: M-Files Corporation

Published: 2023-08-25T08:08:05.954Z

Updated: 2024-08-28T18:29:48.168Z

Reserved: 2023-06-27T05:38:34.710Z

Link: CVE-2023-3425

Vulnrichment

Updated: 2024-08-02T06:55:03.431Z

NVD

Status : Modified

Published: 2023-08-25T09:15:08.937

Modified: 2024-11-21T08:17:14.357

Link: CVE-2023-3425

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-3425", "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "state": "PUBLISHED", "assignerShortName": "M-Files Corporation", "dateReserved": "2023-06-27T05:38:34.710Z", "datePublished": "2023-08-25T08:08:05.954Z", "dateUpdated": "2024-08-28T18:29:48.168Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "M-Files Server", "vendor": "M-Files", "versions": [{"lessThan": "23.8.12892.6", "status": "affected", "version": "0", "versionType": "custom"}, {"status": "unaffected", "version": "23.2.12340.14"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Out-of-bounds read issue in M-Files Server versions below 23.8.12892.6 and LTS Service Release Versions before 23.2 LTS SR3 allows unauthenticated user to read restricted amount of bytes from memory."}], "value": "Out-of-bounds read issue in M-Files Server versions below 23.8.12892.6 and LTS Service Release Versions before 23.2 LTS SR3 allows unauthenticated user to read restricted amount of bytes from memory."}], "exploits": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "None publicly available<br>"}], "value": "None publicly available"}], "impacts": [{"capecId": "CAPEC-540", "descriptions": [{"lang": "en", "value": "CAPEC-540: Overread Buffers"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "shortName": "M-Files Corporation", "dateUpdated": "2024-08-28T08:25:10.044Z"}, "references": [{"url": "https://product.m-files.com/security-advisories/cve-2023-3425/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to M-Files release versions 23.8 or newer, or update to LTS versions 23.2 SR3 or newer<br>"}], "value": "Update to M-Files release versions 23.8 or newer, or update to LTS versions 23.2 SR3 or newer"}], "source": {"discovery": "INTERNAL"}, "title": "CVE-2023-3425: Out-of-Bounds memory read", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:55:03.431Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3425", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-28T18:29:38.276025Z", "id": "CVE-2023-3425", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-28T18:29:48.168Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3425", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:55:03.431Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-3425", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-28T18:29:38.276025Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-28T18:29:43.395Z"}}], "cna": {"title": "CVE-2023-3425: Out-of-Bounds memory read", "source": {"discovery": "INTERNAL"}, "impacts": [{"capecId": "CAPEC-540", "descriptions": [{"lang": "en", "value": "CAPEC-540: Overread Buffers"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "M-Files", "product": "M-Files Server", "versions": [{"status": "affected", "version": "0", "lessThan": "23.8.12892.6", "versionType": "custom"}, {"status": "unaffected", "version": "23.2.12340.14"}], "defaultStatus": "unaffected"}], "exploits": [{"lang": "en", "value": "None publicly available", "supportingMedia": [{"type": "text/html", "value": "None publicly available<br>", "base64": false}]}], "solutions": [{"lang": "en", "value": "Update to M-Files release versions 23.8 or newer, or update to LTS versions 23.2 SR3 or newer", "supportingMedia": [{"type": "text/html", "value": "Update to M-Files release versions 23.8 or newer, or update to LTS versions 23.2 SR3 or newer<br>", "base64": false}]}], "references": [{"url": "https://product.m-files.com/security-advisories/cve-2023-3425/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Out-of-bounds read issue in M-Files Server versions below 23.8.12892.6 and LTS Service Release Versions before 23.2 LTS SR3 allows unauthenticated user to read restricted amount of bytes from memory.", "supportingMedia": [{"type": "text/html", "value": "Out-of-bounds read issue in M-Files Server versions below 23.8.12892.6 and LTS Service Release Versions before 23.2 LTS SR3 allows unauthenticated user to read restricted amount of bytes from memory.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "shortName": "M-Files Corporation", "dateUpdated": "2024-08-28T08:25:10.044Z"}}}, "cveMetadata": {"cveId": "CVE-2023-3425", "state": "PUBLISHED", "dateUpdated": "2024-08-28T18:29:48.168Z", "dateReserved": "2023-06-27T05:38:34.710Z", "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "datePublished": "2023-08-25T08:08:05.954Z", "assignerShortName": "M-Files Corporation"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:m-files:classic_web:*:*:*:*:lts:*:*:*", "matchCriteriaId": "89B60851-49D1-40DA-A600-658BCC986BF6", "versionEndExcluding": "23.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:m-files:classic_web:*:*:*:*:-:*:*:*", "matchCriteriaId": "CE7A65F9-84AD-47E9-8C64-3585D5855FEA", "versionEndExcluding": "23.6.12695.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:m-files:classic_web:23.2:-:*:*:lts:*:*:*", "matchCriteriaId": "4E66A68C-65E6-48E9-97DD-621B4B73D975", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Out-of-bounds read issue in M-Files Server versions below 23.8.12892.6 and LTS Service Release Versions before 23.2 LTS SR3 allows unauthenticated user to read restricted amount of bytes from memory."}, {"lang": "es", "value": "Un problema de lectura fuera de los l\u00edmites en M-Files Server, el cual afecta a las versiones inferiores a 23.8.12892.6 y a las versiones de lanzamiento del servicio LTS inferiores a 23.2 LTS SR3. Esta vulnerabilidad permite a un usuario no autenticado leer una cantidad restringida de bytes de la memoria."}], "id": "CVE-2023-3425", "lastModified": "2024-11-21T08:17:14.357", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.2, "source": "security@m-files.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-25T09:15:08.937", "references": [{"source": "security@m-files.com", "url": "https://product.m-files.com/security-advisories/cve-2023-3425/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3425"}], "sourceIdentifier": "security@m-files.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security@m-files.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}