CVE-2022-27891

Published: Feb 16, 2023Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

Palantir Gotham included an unauthenticated endpoint that listed all active usernames on the stack with an active session. The affected services have been patched and automatically deployed to all Apollo-managed Gotham instances. It is highly recommended that customers upgrade all affected services to the latest version. This issue affects: Palantir Gotham versions prior to 103.30221005.0.

Affected (1)

Products: Palantir: Gotham

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Palantir Gotham	Before 3.22.10.4

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References (2)

https://github.com/palantir/security-bulletins/blob/main/PLTRSEC-2022-10.md

Source: cve-coordination@palantir.com

Vendor Advisory

https://github.com/palantir/security-bulletins/blob/main/PLTRSEC-2022-10.md

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.