CVE-2023-41137 - OpenCVE

Symmetric encryption used to protect messages between the AppsAnywhere server and client can be broken by reverse engineering the client and used to impersonate the AppsAnywhere server.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Appsanywhere	Appsanywhere Client

Configuration 1 [-]

OR	cpe:2.3:a:appsanywhere:appsanywhere_client:1.4.0:::::windows::
	cpe:2.3:a:appsanywhere:appsanywhere_client:1.4.1:::::windows::
	cpe:2.3:a:appsanywhere:appsanywhere_client:1.5.1:::::windows::
	cpe:2.3:a:appsanywhere:appsanywhere_client:1.6.0:::::windows::
	cpe:2.3:a:appsanywhere:appsanywhere_client:2.0.0:::::windows::

Configuration 2 [-]

OR	cpe:2.3:a:appsanywhere:appsanywhere_client:1.4.0:::::macos::
	cpe:2.3:a:appsanywhere:appsanywhere_client:1.4.1:::::macos::
	cpe:2.3:a:appsanywhere:appsanywhere_client:1.5.1:::::macos::
	cpe:2.3:a:appsanywhere:appsanywhere_client:1.5.2:::::macos::
	cpe:2.3:a:appsanywhere:appsanywhere_client:1.6.0:::::macos::
	cpe:2.3:a:appsanywhere:appsanywhere_client:2.0.0:::::macos::

No data.

References

Link	Providers
https://docs.appsanywhere.com/appsanywhere/3.1/2023-11-security-advisory

History

No history.

MITRE

Status: PUBLISHED

Assigner: AppCheck

Published: 2023-11-09T15:07:51.211Z

Updated: 2024-09-04T13:44:57.980Z

Reserved: 2023-08-23T16:10:33.947Z

Link: CVE-2023-41137

Vulnrichment

Updated: 2024-08-02T18:54:04.439Z

NVD

Status : Modified

Published: 2023-11-09T15:15:08.333

Modified: 2024-09-04T14:35:04.010

Link: CVE-2023-41137

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-41137", "assignerOrgId": "2c188fdb-58e1-4908-8fce-3e437b94f1ae", "state": "PUBLISHED", "assignerShortName": "AppCheck", "dateReserved": "2023-08-23T16:10:33.947Z", "datePublished": "2023-11-09T15:07:51.211Z", "dateUpdated": "2024-09-04T13:44:57.980Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "Symmetric encryption used to protect messages between the AppsAnywhere server and client can be broken by reverse engineering the client and used to impersonate the AppsAnywhere server."}], "affected": [{"vendor": "AppsAnywhere", "product": "AppsAnywhere Client", "defaultStatus": "unaffected", "versions": [{"version": "1.4.0", "status": "affected"}, {"version": "1.4.1", "status": "affected"}, {"version": "1.5.1", "status": "affected"}, {"version": "1.5.2", "status": "affected"}, {"version": "1.6.0", "status": "affected"}, {"version": "2.0.0", "status": "affected"}, {"version": "1.6.1", "status": "unaffected"}, {"version": "2.0.1", "status": "unaffected"}, {"version": "2.2.0", "status": "unaffected"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Use of Hard-coded Cryptographic Key", "cweId": "CWE-321"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "value": "Gaelan Steele", "type": "finder"}], "references": [{"name": "AppsAnywhere Security Advisory", "url": "https://docs.appsanywhere.com/appsanywhere/3.1/2023-11-security-advisory"}], "providerMetadata": {"orgId": "2c188fdb-58e1-4908-8fce-3e437b94f1ae", "shortName": "AppCheck", "dateUpdated": "2023-11-09T15:07:51.211Z"}, "x_generator": {"engine": "cveClient/1.0.14"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:54:04.439Z"}, "title": "CVE Program Container", "references": [{"name": "AppsAnywhere Security Advisory", "url": "https://docs.appsanywhere.com/appsanywhere/3.1/2023-11-security-advisory", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-321", "lang": "en", "description": "CWE-321 Use of Hard-coded Cryptographic Key"}]}], "affected": [{"vendor": "appsanywhere", "product": "appsanywhere_client", "cpes": ["cpe:2.3:a:appsanywhere:appsanywhere_client:1.4.0:*:*:*:*:windows:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.4.0", "status": "affected"}]}, {"vendor": "appsanywhere", "product": "appsanywhere_client", "cpes": ["cpe:2.3:a:appsanywhere:appsanywhere_client:1.4.1:*:*:*:*:windows:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.4.1", "status": "affected"}]}, {"vendor": "appsanywhere", "product": "appsanywhere_client", "cpes": ["cpe:2.3:a:appsanywhere:appsanywhere_client:1.5.1:*:*:*:*:windows:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.5.1", "status": "affected"}]}, {"vendor": "appsanywhere", "product": "appsanywhere_client", "cpes": ["cpe:2.3:a:appsanywhere:appsanywhere_client:1.6.0:*:*:*:*:windows:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.6.0", "status": "affected"}]}, {"vendor": "appsanywhere", "product": "appsanywhere_client", "cpes": ["cpe:2.3:a:appsanywhere:appsanywhere_client:2.0.0:*:*:*:*:windows:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.0.0", "status": "affected"}]}, {"vendor": "appsanywhere", "product": "appsanywhere_client", "cpes": ["cpe:2.3:a:appsanywhere:appsanywhere_client:1.5.2:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.5.2", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-04T13:41:50.135678Z", "id": "CVE-2023-41137", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T13:44:57.980Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://docs.appsanywhere.com/appsanywhere/3.1/2023-11-security-advisory", "name": "AppsAnywhere Security Advisory", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:54:04.439Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-41137", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-04T13:41:50.135678Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:appsanywhere:appsanywhere_client:1.4.0:*:*:*:*:windows:*:*"], "vendor": "appsanywhere", "product": "appsanywhere_client", "versions": [{"status": "affected", "version": "1.4.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:appsanywhere:appsanywhere_client:1.4.1:*:*:*:*:windows:*:*"], "vendor": "appsanywhere", "product": "appsanywhere_client", "versions": [{"status": "affected", "version": "1.4.1"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:appsanywhere:appsanywhere_client:1.5.1:*:*:*:*:windows:*:*"], "vendor": "appsanywhere", "product": "appsanywhere_client", "versions": [{"status": "affected", "version": "1.5.1"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:appsanywhere:appsanywhere_client:1.6.0:*:*:*:*:windows:*:*"], "vendor": "appsanywhere", "product": "appsanywhere_client", "versions": [{"status": "affected", "version": "1.6.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:appsanywhere:appsanywhere_client:2.0.0:*:*:*:*:windows:*:*"], "vendor": "appsanywhere", "product": "appsanywhere_client", "versions": [{"status": "affected", "version": "2.0.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:appsanywhere:appsanywhere_client:1.5.2:*:*:*:*:*:*:*"], "vendor": "appsanywhere", "product": "appsanywhere_client", "versions": [{"status": "affected", "version": "1.5.2"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-321", "description": "CWE-321 Use of Hard-coded Cryptographic Key"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T13:44:41.766Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Gaelan Steele"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "AppsAnywhere", "product": "AppsAnywhere Client", "versions": [{"status": "affected", "version": "1.4.0"}, {"status": "affected", "version": "1.4.1"}, {"status": "affected", "version": "1.5.1"}, {"status": "affected", "version": "1.5.2"}, {"status": "affected", "version": "1.6.0"}, {"status": "affected", "version": "2.0.0"}, {"status": "unaffected", "version": "1.6.1"}, {"status": "unaffected", "version": "2.0.1"}, {"status": "unaffected", "version": "2.2.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://docs.appsanywhere.com/appsanywhere/3.1/2023-11-security-advisory", "name": "AppsAnywhere Security Advisory"}], "x_generator": {"engine": "cveClient/1.0.14"}, "descriptions": [{"lang": "en", "value": "Symmetric encryption used to protect messages between the AppsAnywhere server and client can be broken by reverse engineering the client and used to impersonate the AppsAnywhere server."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-321", "description": "Use of Hard-coded Cryptographic Key"}]}], "providerMetadata": {"orgId": "2c188fdb-58e1-4908-8fce-3e437b94f1ae", "shortName": "AppCheck", "dateUpdated": "2023-11-09T15:07:51.211Z"}}}, "cveMetadata": {"cveId": "CVE-2023-41137", "state": "PUBLISHED", "dateUpdated": "2024-09-04T13:44:57.980Z", "dateReserved": "2023-08-23T16:10:33.947Z", "assignerOrgId": "2c188fdb-58e1-4908-8fce-3e437b94f1ae", "datePublished": "2023-11-09T15:07:51.211Z", "assignerShortName": "AppCheck"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:appsanywhere:appsanywhere_client:1.4.0:*:*:*:*:windows:*:*", "matchCriteriaId": "A066D04C-B6DD-4F89-8C0A-DF9CBE036F6F", "vulnerable": true}, {"criteria": "cpe:2.3:a:appsanywhere:appsanywhere_client:1.4.1:*:*:*:*:windows:*:*", "matchCriteriaId": "FF9BC97D-2D43-4D4B-B339-C3DF7DA85FB0", "vulnerable": true}, {"criteria": "cpe:2.3:a:appsanywhere:appsanywhere_client:1.5.1:*:*:*:*:windows:*:*", "matchCriteriaId": "B0531D44-F920-42A9-B781-F2189E72A767", "vulnerable": true}, {"criteria": "cpe:2.3:a:appsanywhere:appsanywhere_client:1.6.0:*:*:*:*:windows:*:*", "matchCriteriaId": "EC323630-9657-4738-B49F-1A43AD666020", "vulnerable": true}, {"criteria": "cpe:2.3:a:appsanywhere:appsanywhere_client:2.0.0:*:*:*:*:windows:*:*", "matchCriteriaId": "AA48D48B-9CDD-4742-AB06-14278E9B794A", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:appsanywhere:appsanywhere_client:1.4.0:*:*:*:*:macos:*:*", "matchCriteriaId": "5694A750-1829-415C-B065-2C2A08DF2E4E", "vulnerable": true}, {"criteria": "cpe:2.3:a:appsanywhere:appsanywhere_client:1.4.1:*:*:*:*:macos:*:*", "matchCriteriaId": "4050A29D-EBB7-468A-B1B5-89DC9A6704DC", "vulnerable": true}, {"criteria": "cpe:2.3:a:appsanywhere:appsanywhere_client:1.5.1:*:*:*:*:macos:*:*", "matchCriteriaId": "2B8B2F87-807B-4B88-8B81-F77D90EFB4E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:appsanywhere:appsanywhere_client:1.5.2:*:*:*:*:macos:*:*", "matchCriteriaId": "5B09E01F-FAA8-424D-8568-371A0B2B8B93", "vulnerable": true}, {"criteria": "cpe:2.3:a:appsanywhere:appsanywhere_client:1.6.0:*:*:*:*:macos:*:*", "matchCriteriaId": "5149EA76-2BBC-4AF6-8F41-9EFBADF669F4", "vulnerable": true}, {"criteria": "cpe:2.3:a:appsanywhere:appsanywhere_client:2.0.0:*:*:*:*:macos:*:*", "matchCriteriaId": "77E0BED8-DD64-47CD-9805-8020DA91D04E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Symmetric encryption used to protect messages between the AppsAnywhere server and client can be broken by reverse engineering the client and used to impersonate the AppsAnywhere server."}, {"lang": "es", "value": "El cifrado sim\u00e9trico utilizado para proteger los mensajes entre el servidor y el cliente de AppsAnywhere se puede romper mediante ingenier\u00eda inversa en el cliente y utilizarse para hacerse pasar por el servidor de AppsAnywhere."}], "id": "CVE-2023-41137", "lastModified": "2024-09-04T14:35:04.010", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "info@appcheck-ng.com", "type": "Secondary"}]}, "published": "2023-11-09T15:15:08.333", "references": [{"source": "info@appcheck-ng.com", "tags": ["Vendor Advisory"], "url": "https://docs.appsanywhere.com/appsanywhere/3.1/2023-11-security-advisory"}], "sourceIdentifier": "info@appcheck-ng.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-321"}], "source": "info@appcheck-ng.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-321"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}