Vulnerability Details : CVE-2023-42455
Wazuh is a security detection, visibility, and compliance open source project. In versions 4.4.0 and 4.4.1, it is possible to get the Wazuh API administrator key used by the Dashboard using the browser development tools. This allows a logged user to the dashboard to become administrator of the API, even if their dashboard role is not. Version 4.4.2 contains a fix. There are no known workarounds.
Products affected by CVE-2023-42455
- cpe:2.3:a:wazuh:wazuh-dashboard:*:*:*:*:*:wazuh:*:*
- cpe:2.3:a:wazuh:wazuh-kibana-app:*:*:*:*:*:wazuh:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-42455
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 46 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-42455
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
GitHub, Inc. |
CWE ids for CVE-2023-42455
-
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2023-42455
-
https://github.com/wazuh/wazuh-kibana-app/security/advisories/GHSA-8w7x-52r7-qvjf
User privilege escalation · Advisory · wazuh/wazuh-dashboard-plugins · GitHubPatch;Vendor Advisory
-
https://github.com/wazuh/wazuh-dashboard-plugins/issues/5427
Enhance the `getConfiguration` backend service · Issue #5427 · wazuh/wazuh-dashboard-plugins · GitHubIssue Tracking
-
https://github.com/wazuh/wazuh-kibana-app/pull/5428
Enhance the getConfiguration backend service by Desvelao · Pull Request #5428 · wazuh/wazuh-dashboard-plugins · GitHubPatch
Jump to