CVE-2023-42455

Published: Oct 9, 2023Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Wazuh is a security detection, visibility, and compliance open source project. In versions 4.4.0 and 4.4.1, it is possible to get the Wazuh API administrator key used by the Dashboard using the browser development tools. This allows a logged user to the dashboard to become administrator of the API, even if their dashboard role is not. Version 4.4.2 contains a fix. There are no known workarounds.

Affected (2)

Products: Wazuh: Wazuh Dashboard, Wazuh Kibana App

2 products

Wazuh Dashboard

Wazuh Kibana App

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Wazuh Wazuh Dashboard	From 4.4.0 to 4.4.2
Wazuh Wazuh Kibana App	From 4.4.0 to 4.4.2

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (6)

https://github.com/wazuh/wazuh-dashboard-plugins/issues/5427

Source: security-advisories@github.com

Issue Tracking

https://github.com/wazuh/wazuh-kibana-app/pull/5428

Source: security-advisories@github.com

Patch

https://github.com/wazuh/wazuh-kibana-app/security/advisories/GHSA-8w7x-52r7-qvjf

Source: security-advisories@github.com

PatchVendor Advisory

https://github.com/wazuh/wazuh-dashboard-plugins/issues/5427

Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking

https://github.com/wazuh/wazuh-kibana-app/pull/5428

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/wazuh/wazuh-kibana-app/security/advisories/GHSA-8w7x-52r7-qvjf

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.