CVE-2023-45083 - Vulnerability Details - OpenCVE

Description

An Improper Privilege Management vulnerability exists in HyperCloud that will impact the ability for a user to authenticate against the management plane.

An authenticated admin-level user may be able to delete the "admin" or "serveradmin" users, which prevents authentication from subsequently succeeding.

This issue affects HyperCloud versions 1.0 to any release before 2.1.

Published: 2023-12-05

Score: 4.2 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SoftIron

HyperCloud

unaffected

Version	Status	Constraints
`1.0`	affected	< 2.1

Configuration 1 [-]

cpe:2.3:a:softiron:hypercloud:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2023-49404	An Improper Privilege Management vulnerability exists in HyperCloud that will impact the ability for a user to authenticate against the management plane. An authenticated admin-level user may be able to delete the "admin" or "serveradmin" users, which prevents authentication from subsequently succeeding. This issue affects HyperCloud versions 1.0 to any release before 2.1.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://advisories.softiron.cloud

History

No history.

Subscriptions

Softiron Hypercloud

MITRE

Status: PUBLISHED

Assigner: SoftIron

Published: 2023-12-05T16:15:07.027Z

Updated: 2024-08-02T20:14:19.769Z

Reserved: 2023-10-03T19:37:55.180Z

Link: CVE-2023-45083

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-12-05T17:15:07.950

Modified: 2024-11-21T08:26:21.397

Link: CVE-2023-45083

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-269

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-45083", "assignerOrgId": "0a72a055-908d-47f5-a16a-1f09049c16c6", "state": "PUBLISHED", "assignerShortName": "SoftIron", "dateReserved": "2023-10-03T19:37:55.180Z", "datePublished": "2023-12-05T16:15:07.027Z", "dateUpdated": "2024-08-02T20:14:19.769Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "HyperCloud", "vendor": "SoftIron", "versions": [{"lessThan": "2.1", "status": "affected", "version": "1.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>An Improper Privilege Management vulnerability exists in HyperCloud that will impact the ability for a user to authenticate against the management plane.</div><div><br></div><div>An authenticated admin-level user may be able to delete the \"admin\" or \"serveradmin\" users, which prevents authentication from subsequently succeeding.<br></div><p>This issue affects HyperCloud versions 1.0 to any release before 2.1.<br></p>"}], "value": "An Improper Privilege Management vulnerability exists in HyperCloud that will impact the ability for a user to authenticate against the management plane.\n\nAn authenticated admin-level user may be able to delete the \"admin\" or \"serveradmin\" users, which prevents authentication from subsequently succeeding.\n\nThis issue affects HyperCloud versions 1.0 to any release before 2.1.\n\n"}], "impacts": [{"capecId": "CAPEC-212", "descriptions": [{"lang": "en", "value": "CAPEC-212 Functionality Misuse"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0a72a055-908d-47f5-a16a-1f09049c16c6", "shortName": "SoftIron", "dateUpdated": "2023-12-05T18:16:19.841Z"}, "references": [{"url": "https://advisories.softiron.cloud"}], "source": {"discovery": "INTERNAL"}, "title": "HyperCloud: \"admin\" and \"serveradmin\" users can be deleted", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:14:19.769Z"}, "title": "CVE Program Container", "references": [{"url": "https://advisories.softiron.cloud", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:softiron:hypercloud:*:*:*:*:*:*:*:*", "matchCriteriaId": "554F36F7-6344-4F7A-A1BE-196927DD04E5", "versionEndExcluding": "2.1.0", "versionStartIncluding": "1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An Improper Privilege Management vulnerability exists in HyperCloud that will impact the ability for a user to authenticate against the management plane.\n\nAn authenticated admin-level user may be able to delete the \"admin\" or \"serveradmin\" users, which prevents authentication from subsequently succeeding.\n\nThis issue affects HyperCloud versions 1.0 to any release before 2.1.\n\n"}, {"lang": "es", "value": "Existe una vulnerabilidad de gesti\u00f3n de privilegios inadecuada en HyperCloud que afectar\u00e1 la capacidad de un usuario para autenticarse en el plano de gesti\u00f3n. Un usuario de nivel de administrador autenticado puede eliminar los usuarios \"admin\" o \"serveadmin\", lo que impide que la autenticaci\u00f3n se realice correctamente posteriormente. Este problema afecta a las versiones 1.0 de HyperCloud hasta cualquier versi\u00f3n anterior a la 2.1."}], "id": "CVE-2023-45083", "lastModified": "2024-11-21T08:26:21.397", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 3.6, "source": "0a72a055-908d-47f5-a16a-1f09049c16c6", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-12-05T17:15:07.950", "references": [{"source": "0a72a055-908d-47f5-a16a-1f09049c16c6", "tags": ["Release Notes"], "url": "https://advisories.softiron.cloud"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://advisories.softiron.cloud"}], "sourceIdentifier": "0a72a055-908d-47f5-a16a-1f09049c16c6", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "0a72a055-908d-47f5-a16a-1f09049c16c6", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-269"}], "source": "nvd@nist.gov", "type": "Primary"}]}