{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-4910", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-09-12T08:57:04.299Z", "datePublished": "2023-11-06T12:49:37.751Z", "dateUpdated": "2024-08-20T15:26:44.139Z"}, "containers": {"cna": {"title": "3scale-admin-portal: logged out users tokens can be accessed", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found In 3Scale Admin Portal. If a user logs out from the personal tokens page and then presses the back button in the browser, the tokens page is rendered from the browser cache."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat 3scale API Management Platform 2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "3scale-admin-portal", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:red_hat_3scale_amp:2"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-4910", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238498", "name": "RHBZ#2238498", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2023-09-12T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-668", "description": "Exposure of Resource to Wrong Sphere", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-668: Exposure of Resource to Wrong Sphere", "workarounds": [{"lang": "en", "value": "No mitigation is yet available for this flaw."}], "timeline": [{"lang": "en", "time": "2023-09-12T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-09-12T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-08-20T15:26:44.139Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-4910", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-01-31T15:18:13.339253Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:27:12.993Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:44:52.210Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-4910", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238498", "name": "RHBZ#2238498", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-4910", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238498", "name": "RHBZ#2238498", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:44:52.210Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-4910", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-01-31T15:18:13.339253Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-29T18:04:46.964Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "3scale-admin-portal: logged out users tokens can be accessed", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/a:redhat:red_hat_3scale_amp:2"], "vendor": "Red Hat", "product": "Red Hat 3scale API Management Platform 2", "packageName": "3scale-admin-portal", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2023-09-12T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-09-12T00:00:00+00:00", "value": "Made public."}], "datePublic": "2023-09-12T00:00:00+00:00", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-4910", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238498", "name": "RHBZ#2238498", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "No mitigation is yet available for this flaw."}], "descriptions": [{"lang": "en", "value": "A flaw was found In 3Scale Admin Portal. If a user logs out from the personal tokens page and then presses the back button in the browser, the tokens page is rendered from the browser cache."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-668", "description": "Exposure of Resource to Wrong Sphere"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-08-20T15:26:44.139Z"}, "x_redhatCweChain": "CWE-668: Exposure of Resource to Wrong Sphere"}}, "cveMetadata": {"cveId": "CVE-2023-4910", "state": "PUBLISHED", "dateUpdated": "2024-08-20T15:26:44.139Z", "dateReserved": "2023-09-12T08:57:04.299Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2023-11-06T12:49:37.751Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:3scale_api_management:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "C5434CC8-66E0-4378-AAB3-B2FECDDE61BB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found In 3Scale Admin Portal. If a user logs out from the personal tokens page and then presses the back button in the browser, the tokens page is rendered from the browser cache."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en 3Scale Admin Portal. Si un usuario cierra sesi\u00f3n en la p\u00e1gina de tokens personales y luego presiona el bot\u00f3n atr\u00e1s en el navegador, la p\u00e1gina de tokens se representa desde la memoria cach\u00e9 del navegador."}], "id": "CVE-2023-4910", "lastModified": "2023-12-13T08:15:51.190", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2023-11-06T13:15:10.033", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-4910"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238498"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-668"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-668"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"bugzilla": {"description": "3scale-admin-portal: logged out users tokens can be accessed", "id": "2238498", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238498"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-668", "details": ["A flaw was found In 3Scale Admin Portal. If a user logs out from the personal tokens page and then presses the back button in the browser, the tokens page is rendered from the browser cache.", "A flaw was found In 3Scale Admin Portal. If a user logs out from the personal tokens page and then presses the back button in the browser, the tokens page is rendered from the browser cache."], "mitigation": {"lang": "en:us", "value": "No mitigation is yet available for this flaw."}, "name": "CVE-2023-4910", "package_state": [{"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Affected", "package_name": "3scale-admin-portal", "product_name": "Red Hat 3scale API Management Platform 2"}], "public_date": "2023-09-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-4910\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-4910"], "statement": "This vulnerability requires direct access to the user browser in order to read the tokens page, hence the moderate impact.", "threat_severity": "Moderate"}