CVE-2023-40253 : Improper Authentication vulnerability in Genians Genian NAC V4.0, Genians Genian

Improper Authentication vulnerability in Genians Genian NAC V4.0, Genians Genian NAC V5.0, Genians Genian NAC Suite V5.0, Genians Genian ZTNA allows Authentication Abuse.This issue affects Genian NAC V4.0: from V4.0.0 through V4.0.155; Genian NAC V5.0: from V5.0.0 through V5.0.42 (Revision 117460); Genian NAC Suite V5.0: from V5.0.0 through V5.0.54; Genian ZTNA: from V6.0.0 through V6.0.15.

Published 2023-08-11 06:15:11

Updated 2023-08-29 02:15:09

Source KrCERT/CC

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Products affected by CVE-2023-40253

Genians » Genian Nac »
Versions from including (>=) 5.0.0 and before (<) 5.0.55
cpe:2.3:a:genians:genian_nac:*:*:*:*:-:*:*:*
Matching versions
Genians » Genian Nac »
Versions from including (>=) 4.0.0 and before (<) 4.0.156
cpe:2.3:a:genians:genian_nac:*:*:*:*:-:*:*:*
Matching versions
Genians » Genian Nac » Version: 5.0.42 LTS Edition
cpe:2.3:a:genians:genian_nac:5.0.42:-:*:*:lts:*:*:*
Matching versions
Genians » Genian Nac » Version: 5.0.42 Update Revision 117460 LTS Edition
cpe:2.3:a:genians:genian_nac:5.0.42:revision_117460:*:*:lts:*:*:*
Matching versions
Genians » Genian Ztna
Versions from including (>=) 6.0.0 and before (<) 6.0.16
cpe:2.3:a:genians:genian_ztna:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-40253

EPSS FAQ

0.03%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 9 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-40253

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
6.0	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N	1.5	4.0	KrCERT/CC
Attack Vector: Local Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Changed Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2023-40253

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Assigned by: vuln@krcert.or.kr (Secondary)
CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Assigned by: vuln@krcert.or.kr (Secondary)
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Assigned by:
- nvd@nist.gov (Primary)
- vuln@krcert.or.kr (Secondary)

References for CVE-2023-40253

https://www.genians.co.kr/notice/2023

지니언스 공식입장문
Vendor Advisory

CVEs referencing this url
https://docs.genians.com/nac/5.0/release/ko/advisories/GN-SA-2023-001.html

GN-SA-2023-001: Genian NAC - Multiple Vulnerabilities — Genians Documentation 5.0.55 documentation

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-40253

Products affected by CVE-2023-40253

Exploit prediction scoring system (EPSS) score for CVE-2023-40253

CVSS scores for CVE-2023-40253

CWE ids for CVE-2023-40253

References for CVE-2023-40253