An authenticated attacker can leverage an exposed “box” object to read and write arbitrary files from disk, provided those files can be parsed as yaml or JSON. This issue was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the Self-Managed version of InsightCloudSec.
Published 2023-03-21 17:15:12
Updated 2023-03-28 16:54:09
Source Rapid7, Inc.
View at NVD,   CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2023-1305

0.07%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 28 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-1305

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
8.1
HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
2.8
5.2
NIST

CWE ids for CVE-2023-1305

  • The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.
    Assigned by: cve@rapid7.con (Secondary)

References for CVE-2023-1305

Products affected by CVE-2023-1305

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!