CVE-2023-45083 - Vulnerability Details - OpenCVE

An Improper Privilege Management vulnerability exists in HyperCloud that will impact the ability for a user to authenticate against the management plane.

An authenticated admin-level user may be able to delete the "admin" or "serveradmin" users, which prevents authentication from subsequently succeeding.

This issue affects HyperCloud versions 1.0 to any release before 2.1.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

Vendors	Products
Softiron	Hypercloud

Configuration 1 [-]

cpe:2.3:a:softiron:hypercloud:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-49404	An Improper Privilege Management vulnerability exists in HyperCloud that will impact the ability for a user to authenticate against the management plane. An authenticated admin-level user may be able to delete the "admin" or "serveradmin" users, which prevents authentication from subsequently succeeding. This issue affects HyperCloud versions 1.0 to any release before 2.1.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://advisories.softiron.cloud

History

No history.

MITRE

Status: PUBLISHED

Assigner: SoftIron

Published: 2023-12-05T16:15:07.027Z

Updated: 2024-08-02T20:14:19.769Z

Reserved: 2023-10-03T19:37:55.180Z

Link: CVE-2023-45083

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-12-05T17:15:07.950

Modified: 2024-11-21T08:26:21.397

Link: CVE-2023-45083

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-45083", "assignerOrgId": "0a72a055-908d-47f5-a16a-1f09049c16c6", "state": "PUBLISHED", "assignerShortName": "SoftIron", "dateReserved": "2023-10-03T19:37:55.180Z", "datePublished": "2023-12-05T16:15:07.027Z", "dateUpdated": "2024-08-02T20:14:19.769Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "HyperCloud", "vendor": "SoftIron", "versions": [{"lessThan": "2.1", "status": "affected", "version": "1.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>An Improper Privilege Management vulnerability exists in HyperCloud that will impact the ability for a user to authenticate against the management plane.</div><div><br></div><div>An authenticated admin-level user may be able to delete the \"admin\" or \"serveradmin\" users, which prevents authentication from subsequently succeeding.<br></div><p>This issue affects HyperCloud versions 1.0 to any release before 2.1.<br></p>"}], "value": "An Improper Privilege Management vulnerability exists in HyperCloud that will impact the ability for a user to authenticate against the management plane.\n\nAn authenticated admin-level user may be able to delete the \"admin\" or \"serveradmin\" users, which prevents authentication from subsequently succeeding.\n\nThis issue affects HyperCloud versions 1.0 to any release before 2.1.\n\n"}], "impacts": [{"capecId": "CAPEC-212", "descriptions": [{"lang": "en", "value": "CAPEC-212 Functionality Misuse"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0a72a055-908d-47f5-a16a-1f09049c16c6", "shortName": "SoftIron", "dateUpdated": "2023-12-05T18:16:19.841Z"}, "references": [{"url": "https://advisories.softiron.cloud"}], "source": {"discovery": "INTERNAL"}, "title": "HyperCloud: \"admin\" and \"serveradmin\" users can be deleted", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:14:19.769Z"}, "title": "CVE Program Container", "references": [{"url": "https://advisories.softiron.cloud", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:softiron:hypercloud:*:*:*:*:*:*:*:*", "matchCriteriaId": "554F36F7-6344-4F7A-A1BE-196927DD04E5", "versionEndExcluding": "2.1.0", "versionStartIncluding": "1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An Improper Privilege Management vulnerability exists in HyperCloud that will impact the ability for a user to authenticate against the management plane.\n\nAn authenticated admin-level user may be able to delete the \"admin\" or \"serveradmin\" users, which prevents authentication from subsequently succeeding.\n\nThis issue affects HyperCloud versions 1.0 to any release before 2.1.\n\n"}, {"lang": "es", "value": "Existe una vulnerabilidad de gesti\u00f3n de privilegios inadecuada en HyperCloud que afectar\u00e1 la capacidad de un usuario para autenticarse en el plano de gesti\u00f3n. Un usuario de nivel de administrador autenticado puede eliminar los usuarios \"admin\" o \"serveadmin\", lo que impide que la autenticaci\u00f3n se realice correctamente posteriormente. Este problema afecta a las versiones 1.0 de HyperCloud hasta cualquier versi\u00f3n anterior a la 2.1."}], "id": "CVE-2023-45083", "lastModified": "2024-11-21T08:26:21.397", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 3.6, "source": "0a72a055-908d-47f5-a16a-1f09049c16c6", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-12-05T17:15:07.950", "references": [{"source": "0a72a055-908d-47f5-a16a-1f09049c16c6", "tags": ["Release Notes"], "url": "https://advisories.softiron.cloud"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://advisories.softiron.cloud"}], "sourceIdentifier": "0a72a055-908d-47f5-a16a-1f09049c16c6", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "0a72a055-908d-47f5-a16a-1f09049c16c6", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-269"}], "source": "nvd@nist.gov", "type": "Primary"}]}