Wazuh is a security detection, visibility, and compliance open source project. In versions 4.4.0 and 4.4.1, it is possible to get the Wazuh API administrator key used by the Dashboard using the browser development tools. This allows a logged user to the dashboard to become administrator of the API, even if their dashboard role is not. Version 4.4.2 contains a fix. There are no known workarounds.
References
Link | Resource |
---|---|
https://github.com/wazuh/wazuh-dashboard-plugins/issues/5427 | Issue Tracking |
https://github.com/wazuh/wazuh-kibana-app/pull/5428 | Patch |
https://github.com/wazuh/wazuh-kibana-app/security/advisories/GHSA-8w7x-52r7-qvjf | Patch Vendor Advisory |
https://github.com/wazuh/wazuh-dashboard-plugins/issues/5427 | Issue Tracking |
https://github.com/wazuh/wazuh-kibana-app/pull/5428 | Patch |
https://github.com/wazuh/wazuh-kibana-app/security/advisories/GHSA-8w7x-52r7-qvjf | Patch Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 08:22
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-10-09 17:15
Updated : 2024-11-21 08:22
NVD link : CVE-2023-42455
Mitre link : CVE-2023-42455
CVE.ORG link : CVE-2023-42455
JSON object : View
Products Affected
wazuh
- wazuh-kibana-app
- wazuh-dashboard
CWE
CWE-639
Authorization Bypass Through User-Controlled Key