CVE-2023-6912 - OpenCVE

Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
M-files	M-files Server

Configuration 1 [-]

cpe:2.3:a:m-files:m-files_server:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://product.m-files.com/security-advisories/cve-2023-6912/

History

Wed, 28 Aug 2024 08:30:00 +0000

Type	Values Removed	Values Added
References	https://www.m-files.com/about/trust-center/security-advisories/cve-2023-6912/

Wed, 28 Aug 2024 08:15:00 +0000

Type	Values Removed	Values Added
Description	Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords.	Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords.
References		https://product.m-files.com/security-advisories/cve-2023-6912/

MITRE

Status: PUBLISHED

Assigner: M-Files Corporation

Published: 2023-12-20T09:35:46.232Z

Updated: 2024-08-28T08:06:13.495Z

Reserved: 2023-12-18T08:33:42.158Z

Link: CVE-2023-6912

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-12-20T10:15:08.703

Modified: 2024-08-28T08:15:06.777

Link: CVE-2023-6912

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-6912", "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "state": "PUBLISHED", "assignerShortName": "M-Files Corporation", "dateReserved": "2023-12-18T08:33:42.158Z", "datePublished": "2023-12-20T09:35:46.232Z", "dateUpdated": "2024-08-28T08:06:13.495Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "M-Files Server", "vendor": "M-Files Corporation", "versions": [{"lessThan": "23.12.13205.0", "status": "affected", "version": "0", "versionType": "custom"}, {"status": "unaffected", "version": "23.2 LTS SR6"}, {"status": "unaffected", "version": "23.8 LTS SR4"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords.<br>"}], "value": "Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords."}], "impacts": [{"capecId": "CAPEC-49", "descriptions": [{"lang": "en", "value": "CAPEC-49: Password Brute Forcing"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-307", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "shortName": "M-Files Corporation", "dateUpdated": "2024-08-28T08:06:13.495Z"}, "references": [{"url": "https://product.m-files.com/security-advisories/cve-2023-6912/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to patched version.<br>"}], "value": "Update to patched version."}], "source": {"discovery": "INTERNAL"}, "title": "Brute force vulnerability in M-Files user authentication", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:42:08.504Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-6912/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:m-files:m-files_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "D0AFFA84-5D0F-4F54-88D1-BDB1970D9369", "versionEndExcluding": "23.12.13205.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords."}, {"lang": "es", "value": "La falta de protecci\u00f3n contra ataques de fuerza bruta en M-Files Server antes de 23.12.13205.0 permite a un atacante realizar intentos de autenticaci\u00f3n ilimitados, lo que podr\u00eda comprometer cuentas de usuarios de M-Files espec\u00edficas al adivinar contrase\u00f1as."}], "id": "CVE-2023-6912", "lastModified": "2024-08-28T08:15:06.777", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@m-files.com", "type": "Secondary"}]}, "published": "2023-12-20T10:15:08.703", "references": [{"source": "security@m-files.com", "url": "https://product.m-files.com/security-advisories/cve-2023-6912/"}], "sourceIdentifier": "security@m-files.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-307"}], "source": "security@m-files.com", "type": "Secondary"}]}