CVE-2023-6718 - OpenCVE

An authentication bypass vulnerability has been found in Repox, which allows a remote user to send a specially crafted POST request, due to the lack of any authentication method, resulting in the alteration or creation of users.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Europeana	Repox

Configuration 1 [-]

cpe:2.3:a:europeana:repox:2.3.7:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-repox

History

No history.

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2023-12-13T09:08:24.080Z

Updated: 2024-08-02T08:35:14.908Z

Reserved: 2023-12-12T08:04:43.267Z

Link: CVE-2023-6718

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-12-13T09:15:34.780

Modified: 2023-12-18T17:39:26.267

Link: CVE-2023-6718

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-6718", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2023-12-12T08:04:43.267Z", "datePublished": "2023-12-13T09:08:24.080Z", "dateUpdated": "2024-08-02T08:35:14.908Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Repox", "vendor": "Repox", "versions": [{"lessThanOrEqual": "2.3.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "David C\u00e1mara Galindo"}, {"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Andr\u00e9s Elizalde Galdeano"}], "datePublic": "2023-12-12T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An authentication bypass vulnerability has been found in Repox, which allows a remote user to send a specially crafted POST request, due to the lack of any authentication method, resulting in the alteration or creation of users."}], "value": "An authentication bypass vulnerability has been found in Repox, which allows a remote user to send a specially crafted POST request, due to the lack of any authentication method, resulting in the alteration or creation of users."}], "impacts": [{"capecId": "CAPEC-127", "descriptions": [{"lang": "en", "value": "CAPEC-127 Directory Indexing"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2023-12-13T09:08:24.080Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-repox"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "There is no reported solution at this time."}], "value": "There is no reported solution at this time."}], "source": {"discovery": "EXTERNAL"}, "title": "Authentication Bypass Using an Alternate Path or Channel in Repox", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:35:14.908Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-repox", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:europeana:repox:2.3.7:*:*:*:*:*:*:*", "matchCriteriaId": "FA4CFB07-33A3-44FB-A484-9C23CD4AA5B3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An authentication bypass vulnerability has been found in Repox, which allows a remote user to send a specially crafted POST request, due to the lack of any authentication method, resulting in the alteration or creation of users."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n en Repox, que permite a un usuario remoto enviar una solicitud POST especialmente manipulada, debido a la falta de cualquier m\u00e9todo de autenticaci\u00f3n, lo que resulta en la alteraci\u00f3n o creaci\u00f3n de usuarios."}], "id": "CVE-2023-6718", "lastModified": "2023-12-18T17:39:26.267", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.5, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2023-12-13T09:15:34.780", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-repox"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-288"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}]}