Vulnerability Details : CVE-2023-1939

No access control for the OTP key on OTP entries in Devolutions Remote Desktop Manager Windows 2022.3.33.0 and prior versions and Remote Desktop Manager Linux 2022.3.2.0 and prior versions allows non admin users to see OTP keys via the user interface.

Published 2023-04-11 18:15:58

Updated 2023-04-21 17:59:36

Source Devolutions Inc.

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2023-1939

Probability of exploitation activity in the next 30 days: 0.05%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 12 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2023-1939

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
4.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	2.8	1.4	[email protected]
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2023-1939

CWE-732 Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

Assigned by: [email protected] (Primary)

References for CVE-2023-1939

https://devolutions.net/security/advisories/DEVO-2023-0009

Vendor Advisory

CVEs referencing this url

Products affected by CVE-2023-1939

Devolutions » Remote Desktop Manager » For Linux
Versions up to, including, (<=) 2022.3.2.0
cpe:2.3:a:devolutions:remote_desktop_manager:*:*:*:*:*:linux:*:*
Matching versions
Devolutions » Remote Desktop Manager » For Windows
Versions up to, including, (<=) 2022.3.33.0
cpe:2.3:a:devolutions:remote_desktop_manager:*:*:*:*:*:windows:*:*
Matching versions