CVE-2023-40053 - Vulnerability Details - OpenCVE

A vulnerability has been identified within Serv-U 15.4 that allows an authenticated actor to insert content on the file share function feature of Serv-U, which could be used maliciously.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00056.

Key SSVC decision points have not yet been added.

Vendors	Products
Solarwinds	Serv-u

Configuration 1 [-]

OR	cpe:2.3:a:solarwinds:serv-u:15.4.0:-::::::
	cpe:2.3:a:solarwinds:serv-u:15.4.0:hotfix1::::::
	cpe:2.3:a:solarwinds:serv-u:15.4.0:hotfix2::::::

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-44660	A vulnerability has been identified within Serv-U 15.4 that allows an authenticated actor to insert content on the file share function feature of Serv-U, which could be used maliciously.

Fixes

Solution

SolarWinds advises to upgrade to the latest version of Serv-U 15.4.1 once became generally available.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-4-1_release_notes.htm
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40053

History

No history.

MITRE

Status: PUBLISHED

Assigner: SolarWinds

Published: 2023-12-06T03:23:59.651Z

Updated: 2024-08-02T18:24:54.649Z

Reserved: 2023-08-08T23:22:08.618Z

Link: CVE-2023-40053

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-12-06T04:15:07.523

Modified: 2024-11-21T08:18:36.703

Link: CVE-2023-40053

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-40053", "assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6", "state": "PUBLISHED", "assignerShortName": "SolarWinds", "dateReserved": "2023-08-08T23:22:08.618Z", "datePublished": "2023-12-06T03:23:59.651Z", "dateUpdated": "2024-08-02T18:24:54.649Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Serv-U", "vendor": "SolarWinds", "versions": [{"status": "affected", "version": "15.4 and previous versions"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Igor Souza"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A vulnerability has been identified within Serv-U 15.4 that allows an authenticated actor to insert content on the file share function feature of Serv-U, which could be used maliciously. "}], "value": "A vulnerability has been identified within Serv-U 15.4 that allows an authenticated actor to insert content on the file share function feature of Serv-U, which could be used maliciously. "}], "impacts": [{"capecId": "CAPEC-500", "descriptions": [{"lang": "en", "value": "CAPEC-500 WebView Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "49f11609-934d-4621-84e6-e02e032104d6", "shortName": "SolarWinds", "dateUpdated": "2023-12-28T17:06:54.418Z"}, "references": [{"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40053"}, {"url": "https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-4-1_release_notes.htm"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nSolarWinds advises to upgrade to the latest version of Serv-U 15.4.1 once became generally available.\n\n<br>"}], "value": "\nSolarWinds advises to upgrade to the latest version of Serv-U 15.4.1 once became generally available.\n\n\n"}], "source": {"discovery": "UNKNOWN"}, "title": "HTML injection Vulnerability in Serv-U 15.4", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:24:54.649Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40053", "tags": ["x_transferred"]}, {"url": "https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-4-1_release_notes.htm", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:solarwinds:serv-u:15.4.0:-:*:*:*:*:*:*", "matchCriteriaId": "E5D87E13-3438-4299-80B2-A7C0746DBF51", "vulnerable": true}, {"criteria": "cpe:2.3:a:solarwinds:serv-u:15.4.0:hotfix1:*:*:*:*:*:*", "matchCriteriaId": "258C9475-8149-4889-BC71-69A6D6AAD23F", "vulnerable": true}, {"criteria": "cpe:2.3:a:solarwinds:serv-u:15.4.0:hotfix2:*:*:*:*:*:*", "matchCriteriaId": "2D7FB620-2913-4972-997F-93E7BDA9C627", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified within Serv-U 15.4 that allows an authenticated actor to insert content on the file share function feature of Serv-U, which could be used maliciously. "}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en Serv-U 15.4 que permite a un actor autenticado insertar contenido en la funci\u00f3n de compartir archivos de Serv-U, que podr\u00eda usarse de manera maliciosa."}], "id": "CVE-2023-40053", "lastModified": "2024-11-21T08:18:36.703", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "psirt@solarwinds.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Secondary"}]}, "published": "2023-12-06T04:15:07.523", "references": [{"source": "psirt@solarwinds.com", "tags": ["Release Notes"], "url": "https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-4-1_release_notes.htm"}, {"source": "psirt@solarwinds.com", "tags": ["Vendor Advisory"], "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40053"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-4-1_release_notes.htm"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40053"}], "sourceIdentifier": "psirt@solarwinds.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "psirt@solarwinds.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}