CVE-2023-40236 : In Pexip VMR self-service portal before 3, the same SSH host key is used across

In Pexip VMR self-service portal before 3, the same SSH host key is used across different customers' installations, which allows authentication bypass.

Published 2023-12-25 06:15:08

Updated 2023-12-29 18:39:45

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2023-40236

Pexip » Virtual Meeting Rooms
Versions before (<) 3.0
cpe:2.3:a:pexip:virtual_meeting_rooms:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-40236

EPSS FAQ

0.14%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 31 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-40236

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.3	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N	1.6	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2023-40236

CWE-798 Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2023-40236

https://docs.pexip.com/admin/security_bulletins.htm

Pexip security bulletins | Pexip Infinity Docs
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-40236

Products affected by CVE-2023-40236

Exploit prediction scoring system (EPSS) score for CVE-2023-40236

CVSS scores for CVE-2023-40236

CWE ids for CVE-2023-40236

References for CVE-2023-40236