CVE-2023-23595

Опубликовано: 15 янв. 2023

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

BlueCat Device Registration Portal 2.2 allows XXE attacks that exfiltrate single-line files. A single-line file might contain credentials, such as "machine example.com login daniel password qwerty" in the documentation example for the .netrc file format. NOTE: 2.x versions are no longer supported. There is no available information about whether any later version is affected.

Ссылки

https://bluecatnetworks.com/integrations/adaptive-application/device-registration-portal-drp/
Product
Vendor Advisory
https://everything.curl.dev/usingcurl/netrc
Technical Description
Third Party Advisory
https://github.com/colemanjp/XXE-Vulnerability-in-Bluecat-Device-Registration-Portal-DRP
Exploit
Third Party Advisory
https://bluecatnetworks.com/integrations/adaptive-application/device-registration-portal-drp/
Product
Vendor Advisory
https://everything.curl.dev/usingcurl/netrc
Technical Description
Third Party Advisory
https://github.com/colemanjp/XXE-Vulnerability-in-Bluecat-Device-Registration-Portal-DRP
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:bluecatnetworks:device_registration_portal:2.2:*:*:*:*:*:*:*

EPSS

Процентиль: 62%

0.00425

Низкий

7.5 High

CVSS3

Дефекты

CWE-611

Связанные уязвимости

GHSA-pxhp-jr2p-7hw7