certfr_avis - certfr-2023-avi-0341

CERTFR-2023-AVI-0341

Vulnerability from certfr_avis

Une vulnérabilité a été découverte dans SolarWinds Platform. Elle permet à un attaquant de provoquer une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	SolarWinds	Platform	SolarWinds Platform versions antérieures à 2023.2

References

Title

Publication Time

Tags

Bulletin de sécurité SolarWinds CVE-2023-23839 du 20 avril 2023	None	vendor-advisory
Bulletin de sécurité SolarWinds CVE-2023-23839 du 20 avril 2023	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "SolarWinds Platform versions ant\u00e9rieures \u00e0 2023.2",
      "product": {
        "name": "Platform",
        "vendor": {
          "name": "SolarWinds",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-23839",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23839"
    }
  ],
  "initial_release_date": "2023-04-26T00:00:00",
  "last_revision_date": "2023-04-26T00:00:00",
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 SolarWinds\u00a0CVE-2023-23839 du 20 avril 2023",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2023-23839"
    }
  ],
  "reference": "CERTFR-2023-AVI-0341",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-04-26T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans \u003cspan class=\"textit\"\u003eSolarWinds\nPlatform\u003c/span\u003e. Elle permet \u00e0 un attaquant de provoquer une atteinte \u00e0\nla confidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans SolarWinds Platform",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SolarWinds CVE-2023-23839 du 20 avril 2023",
      "url": null
    }
  ]
}

CVE-2023-23839 (GCVE-0-2023-23839)

Vulnerability from cvelistv5

Published

2023-04-25 00:00

Modified

2025-02-04 14:43

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Summary

The SolarWinds Platform was susceptible to the Exposure of Sensitive Information Vulnerability. This vulnerability allows users to access Orion.WebCommunityStrings SWIS schema object and obtain sensitive information.

References

URL

Tags

	https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-2_release_notes.htm
	https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-23839

Impacted products

	Vendor	Product	Version
	SolarWinds	SolarWinds Platform	Version: 2023.1 and prior versions < 2023.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T10:42:26.705Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-2_release_notes.htm"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-23839"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-23839",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-04T14:40:28.977535Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-04T14:43:29.518Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SolarWinds Platform",
          "vendor": "SolarWinds",
          "versions": [
            {
              "lessThan": "2023.2",
              "status": "affected",
              "version": "2023.1 and prior versions",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2023-04-16T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe SolarWinds Platform was susceptible to the Exposure of Sensitive Information Vulnerability. This vulnerability allows users to access Orion.WebCommunityStrings SWIS schema object and obtain sensitive information.\u003c/p\u003e"
            }
          ],
          "value": "The SolarWinds Platform was susceptible to the Exposure of Sensitive Information Vulnerability. This vulnerability allows users to access Orion.WebCommunityStrings SWIS schema object and obtain sensitive information.\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-08-03T20:18:54.847Z",
        "orgId": "49f11609-934d-4621-84e6-e02e032104d6",
        "shortName": "SolarWinds"
      },
      "references": [
        {
          "url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-2_release_notes.htm"
        },
        {
          "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-23839"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAll SolarWinds Platform customers are advised to upgrade to the latest version of the SolarWinds Platform version 2023.2\u003c/p\u003e"
            }
          ],
          "value": "All SolarWinds Platform customers are advised to upgrade to the latest version of the SolarWinds Platform version 2023.2\n\n"
        }
      ],
      "source": {
        "discovery": "USER"
      },
      "title": "SolarWinds Platform Exposure of Sensitive Information Vulnerability",
      "x_generator": {
        "engine": "vulnogram 0.1.0-rc1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6",
    "assignerShortName": "SolarWinds",
    "cveId": "CVE-2023-23839",
    "datePublished": "2023-04-25T00:00:00.000Z",
    "dateReserved": "2023-01-18T00:00:00.000Z",
    "dateUpdated": "2025-02-04T14:43:29.518Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CERTFR-2023-AVI-0341

Vulnerability from certfr_avis

Solution

CVE-2023-23839 (GCVE-0-2023-23839)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature