Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

fstec логотип

BDU:2025-00947

Опубликовано: 25 мая 2023
Источник: fstec
CVSS3: 6.1
CVSS2: 6.4
EPSS Низкий

Описание

Уязвимость системы управления конфигурациями и удалённого выполнения операций Salt, веб-фреймворка Python Tornado связана с использованием открытой переадресации. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, получить несанкционированный доступ к защищаемой информации с помощью специально созданного URL-адреса

Вендор

Novell Inc.
Сообщество свободного программного обеспечения
ООО «Ред Софт»
Red Hat Inc.
ООО «РусБИТех-Астра»
FriendFeed

Наименование ПО

SUSE Linux Enterprise Server for SAP Applications
OpenSUSE Leap
Suse Linux Enterprise Server
SUSE Linux Enterprise High Performance Computing
SUSE OpenStack Cloud
openSUSE Tumbleweed
SUSE CaaS Platform
Debian GNU/Linux
РЕД ОС
SUSE Manager Proxy
SUSE Manager Server
SUSE Enterprise Storage
SUSE Linux Enterprise Micro
Suse Linux Enterprise Desktop
SUSE Manager Retail Branch Server
Red Hat Enterprise Linux
SUSE Linux Enterprise Module for Server Applications
SUSE Linux Enterprise Module for Basesystem
openSUSE Leap Micro
SUSE Linux Enterprise Real Time
SUSE Manager Server Module
SUSE Liberty Linux
SUSE Linux Enterprise Module for Package Hub
Astra Linux Special Edition
SUSE Linux Enterprise Module for Advanced Systems Management
SUSE Manager Client Tools
SUSE Linux Enterprise Module for Python 3
Tornado
SUSE Linux Enterprise Module for Transactional Server
SUSE Manager Proxy Module

Версия ПО

12 SP3 (SUSE Linux Enterprise Server for SAP Applications)
12 SP4 (SUSE Linux Enterprise Server for SAP Applications)
15.5 (OpenSUSE Leap)
12 SP3 (Suse Linux Enterprise Server)
12 SP4 (Suse Linux Enterprise Server)
12 (SUSE Linux Enterprise High Performance Computing)
15 SP1 (SUSE Linux Enterprise Server for SAP Applications)
8 (SUSE OpenStack Cloud)
12 SP5 (Suse Linux Enterprise Server)
12 SP5 (SUSE Linux Enterprise Server for SAP Applications)
Crowbar 8 (SUSE OpenStack Cloud)
9 (SUSE OpenStack Cloud)
12 (SUSE Linux Enterprise Server for SAP Applications)
- (openSUSE Tumbleweed)
Crowbar 9 (SUSE OpenStack Cloud)
4.0 (SUSE CaaS Platform)
15 SP1-LTSS (Suse Linux Enterprise Server)
15 SP1-LTSS (SUSE Linux Enterprise High Performance Computing)
11 (Debian GNU/Linux)
12 (Debian GNU/Linux)
12 (Suse Linux Enterprise Server)
7.3 (РЕД ОС)
15.4 (OpenSUSE Leap)
15 SP3 (SUSE Linux Enterprise Server for SAP Applications)
4.2 (SUSE Manager Proxy)
4.2 (SUSE Manager Server)
7 (SUSE Enterprise Storage)
15 SP2 (SUSE Linux Enterprise Server for SAP Applications)
15 SP2-LTSS (SUSE Linux Enterprise High Performance Computing)
5.1 (SUSE Linux Enterprise Micro)
15 SP4 (Suse Linux Enterprise Server)
15 SP4 (Suse Linux Enterprise Desktop)
15 SP4 (SUSE Linux Enterprise Server for SAP Applications)
4.2 (SUSE Manager Retail Branch Server)
5.2 (SUSE Linux Enterprise Micro)
9 (Red Hat Enterprise Linux)
15 SP2-LTSS (Suse Linux Enterprise Server)
4.3 (SUSE Manager Retail Branch Server)
4.3 (SUSE Manager Proxy)
4.3 (SUSE Manager Server)
15 SP4 (SUSE Linux Enterprise High Performance Computing)
15 SP4 (SUSE Linux Enterprise Module for Server Applications)
7.1 (SUSE Enterprise Storage)
15 SP4 (SUSE Linux Enterprise Module for Basesystem)
5.3 (SUSE Linux Enterprise Micro)
5.3 (openSUSE Leap Micro)
15 SP3-LTSS (Suse Linux Enterprise Server)
15 SP3-ESPOS (SUSE Linux Enterprise High Performance Computing)
15 SP3-LTSS (SUSE Linux Enterprise High Performance Computing)
15 SP3 (SUSE Linux Enterprise Real Time)
15 SP5 (SUSE Linux Enterprise Server for SAP Applications)
15 SP5 (Suse Linux Enterprise Server)
15 SP5 (Suse Linux Enterprise Desktop)
15 SP5 (SUSE Linux Enterprise High Performance Computing)
15 SP5 (SUSE Linux Enterprise Module for Basesystem)
5.4 (SUSE Linux Enterprise Micro)
5.4 (openSUSE Leap Micro)
15 SP5 (SUSE Linux Enterprise Module for Server Applications)
4.2 (SUSE Manager Server Module)
4.3 (SUSE Manager Server Module)
9 (SUSE Liberty Linux)
15 SP6 (Suse Linux Enterprise Desktop)
15 SP6 (Suse Linux Enterprise Server)
15 SP6 (SUSE Linux Enterprise Server for SAP Applications)
15 SP6 (SUSE Linux Enterprise High Performance Computing)
15 SP6 (SUSE Linux Enterprise Module for Basesystem)
15 SP6 (SUSE Linux Enterprise Module for Package Hub)
15 SP6 (SUSE Linux Enterprise Module for Server Applications)
6.0 (SUSE Linux Enterprise Micro)
1.8 (Astra Linux Special Edition)
6.1 (SUSE Linux Enterprise Micro)
12 (SUSE Linux Enterprise Module for Advanced Systems Management)
12 (SUSE Manager Client Tools)
15 SP6 (SUSE Linux Enterprise Module for Python 3)
до 6.3.2 (Tornado)
15 (SUSE Manager Client Tools)
15 SP4 (SUSE Linux Enterprise Module for Transactional Server)
15 SP5 (SUSE Linux Enterprise Module for Transactional Server)
15 SP6 (SUSE Linux Enterprise Module for Transactional Server)
for RHEL, Liberty and Clones 9-CLIENT-TOOLS (SUSE Manager Client Tools)
for SLE Micro 5 (SUSE Manager Client Tools)
4.2 (SUSE Manager Proxy Module)
4.3 (SUSE Manager Proxy Module)

Тип ПО

Операционная система
Прикладное ПО информационных систем
Сетевое средство

Операционные системы и аппаратные платформы

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP3
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP4
Novell Inc. OpenSUSE Leap 15.5
Novell Inc. Suse Linux Enterprise Server 12 SP3
Novell Inc. Suse Linux Enterprise Server 12 SP4
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP1
Novell Inc. Suse Linux Enterprise Server 12 SP5
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP5
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12
Novell Inc. openSUSE Tumbleweed -
Novell Inc. Suse Linux Enterprise Server 15 SP1-LTSS
Сообщество свободного программного обеспечения Debian GNU/Linux 11
Сообщество свободного программного обеспечения Debian GNU/Linux 12
Novell Inc. Suse Linux Enterprise Server 12
ООО «Ред Софт» РЕД ОС 7.3
Novell Inc. OpenSUSE Leap 15.4
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP3
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP2
Novell Inc. Suse Linux Enterprise Server 15 SP4
Novell Inc. Suse Linux Enterprise Desktop 15 SP4
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP4
Red Hat Inc. Red Hat Enterprise Linux 9
Novell Inc. Suse Linux Enterprise Server 15 SP2-LTSS
Novell Inc. openSUSE Leap Micro 5.3
Novell Inc. Suse Linux Enterprise Server 15 SP3-LTSS
Novell Inc. SUSE Linux Enterprise Real Time 15 SP3
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP5
Novell Inc. Suse Linux Enterprise Server 15 SP5
Novell Inc. Suse Linux Enterprise Desktop 15 SP5
Novell Inc. openSUSE Leap Micro 5.4
Novell Inc. SUSE Liberty Linux 9
Novell Inc. Suse Linux Enterprise Desktop 15 SP6
Novell Inc. Suse Linux Enterprise Server 15 SP6
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP6
ООО «РусБИТех-Астра» Astra Linux Special Edition 1.8

Уровень опасности уязвимости

Средний уровень опасности (базовая оценка CVSS 2.0 составляет 6,4)
Средний уровень опасности (базовая оценка CVSS 3.0 составляет 6,1)

Возможные меры по устранению уязвимости

Использование рекомендаций:
https://github.com/tornadoweb/tornado/releases/tag/v6.3.2
Для РедОС:
https://redos.red-soft.ru/support/secure/uyazvimosti/uyazvimost-python3-tornado-cve-2023-28370/?sphrase_id=644541
Для Debian GNU/Linux:
https://security-tracker.debian.org/tracker/CVE-2023-28370
Для программных продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/cve-2023-28370
Для программных продуктов Novell Inc.:
https://www.suse.com/security/cve/CVE-2023-28370.html
Для ОС Astra Linux:
обновить пакет python-tornado до 6.2.0-3.astra1 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se18-bulletin-2025-0114SE18MD

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Данные уточняются

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

EPSS

Процентиль: 62%
0.0043
Низкий

6.1 Medium

CVSS3

6.4 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2023-28370

CVSS3: 6.1
ubuntu
около 2 лет назад

Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.

redhat логотип

CVE-2023-28370

CVSS3: 7.4
redhat
около 2 лет назад

Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.

nvd логотип

CVE-2023-28370

CVSS3: 6.1
nvd
около 2 лет назад

Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.

msrc логотип

CVE-2023-28370

CVSS3: 6.1
msrc
3 месяца назад

Описание отсутствует

debian логотип

CVE-2023-28370

CVSS3: 6.1
debian
около 2 лет назад

Open redirect vulnerability in Tornado versions 6.3.1 and earlier allo ...

EPSS

Процентиль: 62%
0.0043
Низкий

6.1 Medium

CVSS3

6.4 Medium

CVSS2

Уязвимость BDU:2025-00947