CVE-2023-30948

Published: Jun 6, 2023Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

A security defect in Foundry's Comments functionality resulted in the retrieval of attachments to comments not being gated by additional authorization checks. This could enable an authenticated user to inject a prior discovered attachment UUID into other arbitrary comments to discover it's content. This defect was fixed in Foundry Comments 2.249.0, and a patch was rolled out to affected Foundry environments. No further intervention is required at this time.

Affected (1)

Products: Palantir: Foundry Comments

1 product

Foundry Comments

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Palantir Foundry Comments	Before 2.249.0

Related CWEs

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://palantir.safebase.us/?tcuUid=101b083b-6389-4261-98f8-23448e133a62

Source: cve-coordination@palantir.com

Vendor Advisory

https://palantir.safebase.us/?tcuUid=101b083b-6389-4261-98f8-23448e133a62

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.