CVE-2023-45152

{"id": "CVE-2023-45152", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 0.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.0, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 0.6}]}, "published": "2023-10-17T00:15:11.140", "references": [{"url": "https://github.com/engelsystem/engelsystem/commit/ee7d30b33935ea001705f438fec8ffd05734f295", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/engelsystem/engelsystem/security/advisories/GHSA-jj9g-75wf-6ppf", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-918"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Engelsystem is a shift planning system for chaos events. A Blind SSRF in the \"Import schedule\" functionality makes it possible to perform a port scan against the local environment. This vulnerability has been fixed in commit ee7d30b33. If a patch cannot be deployed, operators should ensure that no HTTP(s) services listen on localhost and/or systems only reachable from the host running the engelsystem software. If such services are necessary, they should utilize additional authentication."}, {"lang": "es", "value": "Engelsystem es un sistema de planificaci\u00f3n de turnos para eventos de caos. Un Blind SSRF en la funcionalidad \"Import schedule\" permite realizar una exploraci\u00f3n de puertos en el entorno local. Esta vulnerabilidad se ha solucionado en el commit ee7d30b33. Si no se puede implementar un parche, los operadores deben asegurarse de que ning\u00fan servicio HTTP escuche en el host local y/o en sistemas a los que solo se pueda acceder desde el host que ejecuta el software engelsystem. Si dichos servicios son necesarios, deber\u00edan utilizar autenticaci\u00f3n adicional."}], "lastModified": "2023-10-30T17:31:46.010", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:engelsystem:engelsystem:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B0F10C38-ED39-422A-8507-FA4099FAEE32", "versionEndExcluding": "2023-09-18"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}