CVE-2023-23903

An authenticated administrator can upload a SAML configuration file with the wrong format, with the application not checking the correct file format. Every subsequent application request will return an error. The whole application in rendered unusable until a console intervention.

CVSS v3 4.9 MEDIUM

4.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://security.nozominetworks.com/NN-2023:7-01	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nozominetworks:cmc::::::::
	cpe:2.3:a:nozominetworks:guardian::::::::

History

20 Sep 2024, 12:15

Type	Values Removed	Values Added
CWE	~~CWE-20~~	CWE-1286

28 May 2024, 13:15

Type	Values Removed	Values Added
Summary	(en) An authenticated administrator can upload a SAML configuration file with the wrong format, with the application not checking the correct file format. Every subsequent application request will return an error. The whole application in rendered unusable until a console intervention.	(en) An authenticated administrator can upload a SAML configuration file with the wrong format, with the application not checking the correct file format. Every subsequent application request will return an error. The whole application in rendered unusable until a console intervention.

16 Aug 2023, 19:44

Type	Values Removed	Values Added
References	~~(MISC) https://security.nozominetworks.com/NN-2023:7-01 -~~	(MISC) https://security.nozominetworks.com/NN-2023:7-01 - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.9
CPE		cpe:2.3:a:nozominetworks:cmc:::::::: cpe:2.3:a:nozominetworks:guardian::::::::
CWE		NVD-CWE-noinfo

09 Aug 2023, 12:46

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-08-09 10:15

Updated : 2024-09-20 12:15

NVD link : CVE-2023-23903

Mitre link : CVE-2023-23903

CVE.ORG link : CVE-2023-23903

JSON object : View

Products Affected

nozominetworks

cmc
guardian

CWE

NVD-CWE-noinfo CWE-1286

Improper Validation of Syntactic Correctness of Input

{"id": "CVE-2023-23903", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.2}, {"type": "Secondary", "source": "prodsec@nozominetworks.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.2}], "cvssMetricV40": [{"type": "Secondary", "source": "prodsec@nozominetworks.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 6.9, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "NONE", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "NONE", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2023-08-09T10:15:09.687", "references": [{"url": "https://security.nozominetworks.com/NN-2023:7-01", "tags": ["Vendor Advisory"], "source": "prodsec@nozominetworks.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "prodsec@nozominetworks.com", "description": [{"lang": "en", "value": "CWE-1286"}]}], "descriptions": [{"lang": "en", "value": "An authenticated administrator can upload a SAML configuration file with the wrong format, with the application not checking the correct file format. Every subsequent application request will return an error.\n\nThe whole application in rendered unusable until a console intervention."}, {"lang": "es", "value": "Un administrador autenticado puede cargar un archivo de configuraci\u00f3n SAML con el formato incorrecto, sin que la aplicaci\u00f3n compruebe el formato correcto del archivo. Cada solicitud posterior de la aplicaci\u00f3n devolver\u00e1 un error. Toda la aplicaci\u00f3n en inutilizable hasta una intervenci\u00f3n de la consola."}], "lastModified": "2024-09-20T12:15:04.187", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nozominetworks:cmc:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D5DACA15-76B3-417A-8776-9014575659A6", "versionEndExcluding": "22.6.2"}, {"criteria": "cpe:2.3:a:nozominetworks:guardian:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6317D905-9F4B-42A1-937E-AB79D99B1973", "versionEndExcluding": "22.6.2"}], "operator": "OR"}]}], "sourceIdentifier": "prodsec@nozominetworks.com"}