cvelistv5 - cve-2023-32315

CVE-2023-32315 (GCVE-0-2023-32315)

Vulnerability from cvelistv5

Published

2023-05-26 22:33

Modified

2025-07-30 01:37

Severity ?

8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Summary

Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn’t available for a specific release, or isn’t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.

References

URL	Tags
security-advisories@github.com	http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
security-advisories@github.com	https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm	Exploit, Mitigation, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm	Exploit, Mitigation, Patch, Vendor Advisory

Impacted products

	Vendor	Product	Version
	igniterealtime	Openfire	Version: >= 3.10.0, < 4.6.8 Version: >= 4.7.0, < 4.7.5

CISA Known exploited vulnerability

Data from the Known Exploited Vulnerabilities Catalog

Date added: 2023-08-24

Due date: 2023-09-14

Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Used in ransomware: Unknown

Notes: https://www.igniterealtime.org/downloads/#openfire; https://nvd.nist.gov/vuln/detail/CVE-2023-32315

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T15:10:24.896Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-32315",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-04T16:14:29.329482Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2023-08-24",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-32315"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-30T01:37:25.286Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "timeline": [
          {
            "lang": "en",
            "time": "2023-08-24T00:00:00+00:00",
            "value": "CVE-2023-32315 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Openfire",
          "vendor": "igniterealtime",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 3.10.0, \u003c 4.6.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 4.7.0, \u003c 4.7.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Openfire is an XMPP server licensed under the Open Source Apache License. Openfire\u0027s administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn\u2019t available for a specific release, or isn\u2019t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-07-19T17:06:15.556Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm"
        },
        {
          "url": "http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html"
        }
      ],
      "source": {
        "advisory": "GHSA-gw42-f939-fhvm",
        "discovery": "UNKNOWN"
      },
      "title": "Openfire administration console authentication bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-32315",
    "datePublished": "2023-05-26T22:33:07.974Z",
    "dateReserved": "2023-05-08T13:26:03.879Z",
    "dateUpdated": "2025-07-30T01:37:25.286Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2023-32315",
      "cwes": "[\"CWE-22\"]",
      "dateAdded": "2023-08-24",
      "dueDate": "2023-09-14",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "https://www.igniterealtime.org/downloads/#openfire;  https://nvd.nist.gov/vuln/detail/CVE-2023-32315",
      "product": "Openfire",
      "requiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
      "shortDescription": "Ignite Realtime Openfire contains a path traversal vulnerability that allows an unauthenticated attacker to access restricted pages in the Openfire Admin Console reserved for administrative users.",
      "vendorProject": "Ignite Realtime",
      "vulnerabilityName": "Ignite Realtime Openfire Path Traversal Vulnerability"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-32315\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-05-26T23:15:16.643\",\"lastModified\":\"2025-03-10T20:36:57.097\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Openfire is an XMPP server licensed under the Open Source Apache License. Openfire\u0027s administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn\u2019t available for a specific release, or isn\u2019t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":4.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"cisaExploitAdd\":\"2023-08-24\",\"cisaActionDue\":\"2023-09-14\",\"cisaRequiredAction\":\"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\"cisaVulnerabilityName\":\"Ignite Realtime Openfire Path Traversal Vulnerability\",\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.10.0\",\"versionEndExcluding\":\"4.6.8\",\"matchCriteriaId\":\"8E41A6C4-1A9E-4FF5-836D-578434F4AF86\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.7.0.\",\"versionEndExcluding\":\"4.7.5\",\"matchCriteriaId\":\"976DC4DB-EB01-41EA-8401-56B8D6ED2382\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mitigation\",\"Patch\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Openfire administration console authentication bypass\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-22\", \"lang\": \"en\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"LOW\", \"baseScore\": 8.6, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm\"}, {\"url\": \"http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html\"}], \"affected\": [{\"vendor\": \"igniterealtime\", \"product\": \"Openfire\", \"versions\": [{\"version\": \"\u003e= 3.10.0, \u003c 4.6.8\", \"status\": \"affected\"}, {\"version\": \"\u003e= 4.7.0, \u003c 4.7.5\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-07-19T17:06:15.556Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Openfire is an XMPP server licensed under the Open Source Apache License. Openfire\u0027s administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn\\u2019t available for a specific release, or isn\\u2019t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.\"}], \"source\": {\"advisory\": \"GHSA-gw42-f939-fhvm\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T15:10:24.896Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"name\": \"https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"], \"url\": \"https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm\"}, {\"url\": \"http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html\", \"tags\": [\"x_transferred\"]}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-32315\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-04T16:14:29.329482Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2023-08-24\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-32315\"}}}], \"timeline\": [{\"time\": \"2023-08-24T00:00:00+00:00\", \"lang\": \"en\", \"value\": \"CVE-2023-32315 added to CISA KEV\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-04T16:14:35.507Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-32315\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2023-05-08T13:26:03.879Z\", \"datePublished\": \"2023-05-26T22:33:07.974Z\", \"dateUpdated\": \"2025-07-30T01:37:25.286Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

fkie_cve-2023-32315

Vulnerability from fkie_nvd

Published

2023-05-26 23:15

Modified

2025-03-10 20:36

Severity ?

8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
security-advisories@github.com	https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm	Exploit, Mitigation, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm	Exploit, Mitigation, Patch, Vendor Advisory

Impacted products

	Vendor	Product	Version
	igniterealtime	openfire	*
	igniterealtime	openfire	*

JSON

To clipboard

{
  "cisaActionDue": "2023-09-14",
  "cisaExploitAdd": "2023-08-24",
  "cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
  "cisaVulnerabilityName": "Ignite Realtime Openfire Path Traversal Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8E41A6C4-1A9E-4FF5-836D-578434F4AF86",
              "versionEndExcluding": "4.6.8",
              "versionStartIncluding": "3.10.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "976DC4DB-EB01-41EA-8401-56B8D6ED2382",
              "versionEndExcluding": "4.7.5",
              "versionStartIncluding": "4.7.0.",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Openfire is an XMPP server licensed under the Open Source Apache License. Openfire\u0027s administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn\u2019t available for a specific release, or isn\u2019t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice."
    }
  ],
  "id": "CVE-2023-32315",
  "lastModified": "2025-03-10T20:36:57.097",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 8.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-05-26T23:15:16.643",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mitigation",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

ghsa-gw42-f939-fhvm

Vulnerability from github

Published

2023-05-23 19:54

Modified

2023-07-20 18:57

Severity ?

8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Summary

Administration Console authentication bypass in openfire xmppserver

Details

An important security issue affects a range of versions of Openfire, the cross-platform real-time collaboration server based on the XMPP protocol that is created by the Ignite Realtime community.

Impact

Openfire's administrative console (the Admin Console), a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users.

Cause

Path traversal protections were already in place to protect against exactly this kind of attack, but didn’t defend against certain non-standard URL encoding for UTF-16 characters, that were not supported by the embedded webserver that was in use at the time.

A later upgrade of the embedded webserver included support for non-standard URL encoding of UTF-16 characters. The path traversal protections in place in Openfire were not updated to include protection against this new encoding.

Openfire's API defines a mechanism for certain URLs to be excluded from web authentication (this, for example, is used for the login page). This mechanism allows for wildcards to be used, to allow for flexible URL pattern matching.

The combination of the wildcard pattern matching and path traversal vulnerability allows a malicious user to bypass authentication requirements for Admin Console pages.

Affected versions

This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0).

Problem Reproduction

To test if an instance of Openfire is affected, follow these steps. Open a browser in incognito mode, or otherwise ensure that there is no authenticated session with the Openfire admin console. Open the following URL (possibly modified for the hostname of the server that is running Openfire):

http://localhost:9090/setup/setup-s/%u002e%u002e/%u002e%u002e/log.jsp

If this shows part of the openfire logfiles, then the instance of Openfire is affected by this vulnerability. Note that different versions of Openfire will show a different layout. Newer versions of Openfire can be expected to show log files on a dark background, while older versions will show a largely white page. (Depending on the content of the log file, this page might be empty, apart from a header!)

If there's a redirect to the login page, the instance is likely unaffected.

Problem Resolution

The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0).

In Openfire 4.6.8, 4.7.5 and 4.8.0, Path Traversal pattern detection has been improved to include detection of non-standard URL encodings, preventing any non UTF-8 characters.
In Openfire 4.6.8, 4.7.5 and 4.8.0, a new configuration property (adminConsole.access.allow-wildcards-in-excludes) is introduced that controls the permissibility of using wildcards in URL-patterns that define exclusions to authentication.
In Openfire 4.6.8, 4.7.5 and 4.8.0, the existing value that uses a wildcard in URL-patterns that define exclusions to authentication has been replaced by values that do not depend on a wildcard.
In Openfire 4.6.8, 4.7.5 and 4.8.0, Setup-specific URL-patterns that define exclusions to authentication are no longer active after the setup process has finished.
In Openfire 4.8.0, the embedded webserver will be updated to a version that no longer supports the non-standard URL encoding of UTF-16 characters.
In Openfire 4.8.0, the embedded webserver that serves the Openfire administrative console will bind to the loopback network interface by default.

Be aware that the new configuration properties can interfere with the functionality of certain Openfire plugins. This is especially true for plugins that bind a (web)endpoint to the embedded webserver that serves the Openfire administrative console, like current versions of the REST API plugin do. For these plugins to remain functional and/or reachable, it might be required to toggle the property adminConsole.access.allow-wildcards-in-excludes to true, and to avoid binding the embedded webserver to the loopback network interface only.

When your server uses older versions of the following plugins, make sure to upgrade them:

Random Avatar plugin, update to version 1.1.0 or later.
Monitoring Service plugin, update to version 2.5.0 or later.
HTTP File Upload plugin, update to version 1.3.0 or later.

Mitigation

If an Openfire upgrade isn’t available for your release, or isn’t quickly actionable, you can take any of the following steps to mitigate the risk for your Openfire environment.

Be aware: through Openfire plugins, the effectiveness of some mitigations listed below can be reduced, while other mitigations might affect the functionality of plugins. Particular care should be taken when using the Monitoring Service plugin, REST API plugin, User Service plugin and/or Random Avatar plugin.

Restrict network access

Use network security measures (network ACLs and/or firewalls, VPNs) to ensure only trusted members of your community have access to the Openfire Admin Console. As a general rule, never expose the Openfire Admin Console to the general internet.

Examples: * On a linux machine running ufw, deny ports 9090 and 9091 on non-loopback interfaces * On a Windows machine, restrict the rules that open ports 9090 and 9091 to only allow traffic from the IPv4 and/or IPv6 loopback addresses * On AWS cloud infrastructure, use EC2 Security Groups to restrict ports 9090 and 9091 to trusted IP addresses. If the trusted range is necessarily too broad, consider opening and closing the ports only as necessary * If using Docker, instead of docker run ... -p 5222:5222 -p 9090:9090 -p 9091:9091 openfire prevent remote access to the Admin Console with docker run ... -p 5222:5222 -p 127.0.0.1:9090:9090 -p 127.0.0.1:9091:9091 openfire

Modify runtime configuration file

To close the avenue of potential attack, a runtime configuration file of Openfire can be modified.

In Openfire's installation directory, find the file plugins/admin/webapp/WEB-INF/web.xml. After creating a backup of this file, edit the original file.

The content of this file is XML. Find a <filter> element, that contains the <filter-name>AuthCheck</filter-name> child element. Depending on your version of Openfire, it will look similar to this:

xml <filter> <filter-name>AuthCheck</filter-name> <filter-class>org.jivesoftware.admin.AuthCheckFilter</filter-class> <init-param> <param-name>excludes</param-name> <param-value> login.jsp,index.jsp?logout=true,setup/index.jsp,setup/setup-*,.gif,.png,error-serverdown.jsp,loginToken.jsp </param-value> </init-param> </filter> The value inside of the param-value element is a comma-separated list of values. From this list, remove all * (asterisk) characters.

Save the file, and restart Openfire for the change to take effect.

Note that no guarantees can be given that this runtime configuration change persists over time. Ensure to monitor the presence of the fix. It is recommended to upgrade to a safe version of Openfire as soon as possible.

A side-effect of this change is that the Openfire web-based setup wizard will not function properly (functionality can be restored by reverting the change). This wizard is typically used only when initially installing Openfire.

Bind admin console to loopback interface

The Openfire admin console is a web-based application. By default, the corresponding webserver (that is embedded in Openfire) binds to all network interfaces of the host that it is running on.

The admin console can be configured to bind to a specific network interface. This will prevent it from being accessed through other network interfaces. By configuring the admin console to bind to the local loopback interface, it is accessible only to users on the server itself. This reduces the avenue of attack.

Note that several Openfire plugins expose part or all of their functionality through the admin console webserver. The REST API plugin, for example, serves its endpoints via this webserver. Availability of this functionality will be affected by binding the webserver to a specific network interface.

To bind the webserver of the Openfire admin console to a specific network interface, the 'openfire.xml' configuration file can be used.

In Openfire's installation directory, locate the file conf/openfire.xml. After creating a backup of this file, edit the original file.

The content of this file is XML. Find the <adminConsole> element that is a direct child element of the root <jive> element. Add a new element, named <interface> as a child element of <adminConsole>. The value of the <interface> element should be the name of the loopback interface or interface address. Setting value to 127.0.0.1 works on all tested environments (using values like lo on most Linux systems or lo0 on macOS will have the same effect).

The resulting fragment of the openfire.xml file will look similar to this:

```xml

127.0.0.1 9090 9091

... ```

Save the file, and restart Openfire for the change to take effect.

Use AuthFilterSanitizer plugin

The Ignite Realtime community has made available a new plugin, called the AuthFilterSanitizer plugin. The plugin can be installed from the Openfire admin console, or can be downloaded from the plugin's archive page on the IgniteRealtime.org community website.

This plugin periodically removes entries for Openfire's authentication filter that are susceptible to abuse, closing the avenue of potential attack.

Note that this plugin might interfere with functionality that depends on the abuse-susceptible entries in the authentication filter that might be provided by plugins.

Credit

This issue was originally reported by Siebene@ who has our gratitude for the responsible and detailed disclosure of the issue!

We are grateful for the resources made available by Surevine ltd. They were instrumental in addressing the issue listed in this advisory.

References

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.igniterealtime.openfire:xmppserver"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.10.0"
            },
            {
              "fixed": "4.6.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.igniterealtime.openfire:xmppserver"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.7.0"
            },
            {
              "fixed": "4.7.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-32315"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-23T19:54:30Z",
    "nvd_published_at": "2023-05-26T23:15:16Z",
    "severity": "HIGH"
  },
  "details": "An important security issue affects a range of versions of Openfire, the cross-platform real-time collaboration server based on the XMPP protocol that is created by the Ignite Realtime community. \n\n### Impact\nOpenfire\u0027s administrative console (the Admin Console), a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users.\n\n### Cause\nPath traversal protections were already in place to protect against exactly this kind of attack, but didn\u2019t defend against certain non-standard URL encoding for UTF-16 characters, that were not supported by the embedded webserver that was in use at the time.\n\nA later upgrade of the embedded webserver included support for non-standard URL encoding of UTF-16 characters. The path traversal protections in place in Openfire were not updated to include protection against this new encoding. \n\nOpenfire\u0027s API defines a mechanism for certain URLs to be excluded from web authentication (this, for example, is used for the login page). This mechanism allows for wildcards to be used, to allow for flexible URL pattern matching.\n\nThe combination of the wildcard pattern matching and path traversal vulnerability allows a malicious user to bypass authentication requirements for Admin Console pages.\n\n### Affected versions\nThis vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0).\n\n### Problem Reproduction\nTo test if an instance of Openfire is affected, follow these steps. Open a browser in incognito mode, or otherwise ensure that there is no authenticated session with the Openfire admin console. Open the following URL (possibly modified for the hostname of the server that is running Openfire):\n\n```http://localhost:9090/setup/setup-s/%u002e%u002e/%u002e%u002e/log.jsp```\n\nIf this shows part of the openfire logfiles, then the instance of Openfire is affected by this vulnerability. Note that different versions of Openfire will show a different layout. Newer versions of Openfire can be expected to show log files on a dark background, while older versions will show a largely white page. (Depending on the content of the log file, this page might be empty, apart from a header!)\n\nIf there\u0027s a redirect to the login page, the instance is likely unaffected.\n\n### Problem Resolution\nThe problem has been patched in [Openfire release 4.7.5 and 4.6.8](https://www.igniterealtime.org/downloads/#openfire), and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0).\n\n- In Openfire 4.6.8, 4.7.5 and 4.8.0, Path Traversal pattern detection has been improved to include detection of non-standard URL encodings, preventing any non UTF-8 characters.\n- In Openfire 4.6.8, 4.7.5 and 4.8.0, a new configuration property (`adminConsole.access.allow-wildcards-in-excludes`) is introduced that controls the permissibility of using wildcards in URL-patterns that define exclusions to authentication.\n- In Openfire 4.6.8, 4.7.5 and 4.8.0, the existing value that uses a wildcard in URL-patterns that define exclusions to authentication has been replaced by values that do not depend on a wildcard.\n- In Openfire 4.6.8, 4.7.5 and 4.8.0, Setup-specific URL-patterns that define exclusions to authentication are no longer active after the setup process has finished.\n- In Openfire 4.8.0, the embedded webserver will be updated to a version that no longer supports the non-standard URL encoding of UTF-16 characters.\n- In Openfire 4.8.0, the embedded webserver that serves the Openfire administrative console will bind to the loopback network interface by default.\n\nBe aware that the new configuration properties can interfere with the functionality of certain Openfire plugins. This is especially true for plugins that bind a (web)endpoint to the embedded webserver that serves the Openfire administrative console, like current versions of the REST API plugin do. For these plugins to remain functional and/or reachable, it might be required to toggle the property `adminConsole.access.allow-wildcards-in-excludes` to `true`, and to avoid binding the embedded webserver to the loopback network interface only.\n\nWhen your server uses older versions of the following plugins, make sure to upgrade them:\n\n- [Random Avatar plugin](https://www.igniterealtime.org/projects/openfire/plugin-archive.jsp?plugin=randomavatar), update to version 1.1.0 or later.\n- [Monitoring Service plugin](https://www.igniterealtime.org/projects/openfire/plugin-archive.jsp?plugin=monitoring), update to version 2.5.0 or later.\n- [HTTP File Upload plugin](https://www.igniterealtime.org/projects/openfire/plugin-archive.jsp?plugin=httpfileupload), update to version 1.3.0 or later.\n\n### Mitigation\nIf an Openfire upgrade isn\u2019t available for your release, or isn\u2019t quickly actionable, you can take any of the following steps to mitigate the risk for your Openfire environment.\n\nBe aware: through Openfire plugins, the effectiveness of some mitigations listed below can be reduced, while other mitigations might affect the functionality of plugins. Particular care should be taken when using the Monitoring Service plugin, REST API plugin, User Service plugin and/or Random Avatar plugin.\n\n#### Restrict network access\nUse network security measures (network ACLs and/or firewalls, VPNs) to ensure only trusted members of your community have access to the Openfire Admin Console. As a general rule, never expose the Openfire Admin Console to the general internet.\n\nExamples:\n* On a linux machine running `ufw`, deny ports 9090 and 9091 on non-loopback interfaces\n* On a Windows machine, restrict the rules that open ports 9090 and 9091 to only allow traffic from the IPv4 and/or IPv6 loopback addresses\n* On AWS cloud infrastructure, use EC2 Security Groups to restrict ports 9090 and 9091 to trusted IP addresses. If the trusted range is necessarily too broad, consider opening and closing the ports only as necessary\n* If using Docker, instead of `docker run ... -p 5222:5222 -p 9090:9090 -p 9091:9091 openfire` prevent remote access to the Admin Console with `docker run ... -p 5222:5222 -p 127.0.0.1:9090:9090 -p 127.0.0.1:9091:9091 openfire`\n\n\n#### Modify runtime configuration file\nTo close the avenue of potential attack, a runtime configuration file of Openfire can be modified.\n\nIn Openfire\u0027s installation directory, find the file `plugins/admin/webapp/WEB-INF/web.xml`. After creating a backup of this file, edit the original file.\n\nThe content of this file is XML. Find a `\u003cfilter\u003e` element, that contains the `\u003cfilter-name\u003eAuthCheck\u003c/filter-name\u003e` child element. Depending on your version of Openfire, it will look similar to this:\n\n```xml\n\u003cfilter\u003e\n    \u003cfilter-name\u003eAuthCheck\u003c/filter-name\u003e\n    \u003cfilter-class\u003eorg.jivesoftware.admin.AuthCheckFilter\u003c/filter-class\u003e\n    \u003cinit-param\u003e\n        \u003cparam-name\u003eexcludes\u003c/param-name\u003e\n        \u003cparam-value\u003e\n            login.jsp,index.jsp?logout=true,setup/index.jsp,setup/setup-*,.gif,.png,error-serverdown.jsp,loginToken.jsp\n        \u003c/param-value\u003e\n    \u003c/init-param\u003e\n\u003c/filter\u003e\n```\nThe value inside of the `param-value` element is a comma-separated list of values. From this list, remove all `*` (asterisk) characters.\n\nSave the file, and restart Openfire for the change to take effect.\n\nNote that no guarantees can be given that this runtime configuration change persists over time. Ensure to monitor the presence of the fix. It is recommended to upgrade to a safe version of Openfire as soon as possible.\n\nA side-effect of this change is that the Openfire web-based setup wizard will not function properly (functionality can be restored by reverting the change). This wizard is typically used only when initially installing Openfire.\n\n#### Bind admin console to loopback interface\nThe Openfire admin console is a web-based application. By default, the corresponding webserver (that is embedded in Openfire) binds to all network interfaces of the host that it is running on.\n\nThe admin console can be configured to bind to a specific network interface. This will prevent it from being accessed through other network interfaces. By configuring the admin console to bind to the local loopback interface, it is accessible only to users on the server itself. This reduces the avenue of attack.\n\nNote that several Openfire plugins expose part or all of their functionality through the admin console webserver. The REST API plugin, for example, serves its endpoints via this webserver. Availability of this functionality will be affected by binding the webserver to a specific network interface.\n\nTo bind the webserver of the Openfire admin console to a specific network interface, the \u0027openfire.xml\u0027 configuration file can be used.\n\nIn Openfire\u0027s installation directory, locate the file `conf/openfire.xml`. After creating a backup of this file, edit the original file.\n\nThe content of this file is XML. Find the `\u003cadminConsole\u003e` element that is a direct child element of the root `\u003cjive\u003e` element. Add a new element, named `\u003cinterface\u003e` as a child element of `\u003cadminConsole\u003e`. The value of the `\u003cinterface\u003e` element should be the name of the loopback interface or interface address. Setting value to `127.0.0.1` works on all tested environments (using values like  `lo` on most Linux systems or `lo0` on macOS will have the same effect).\n\nThe resulting fragment of the `openfire.xml` file will look similar to this:\n\n```xml\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003cjive\u003e\n  \u003cadminConsole\u003e\n      \u003cinterface\u003e127.0.0.1\u003c/interface\u003e\n      \u003cport\u003e9090\u003c/port\u003e\n      \u003csecurePort\u003e9091\u003c/securePort\u003e\n  \u003c/adminConsole\u003e\n\n  ...\n```\n\nSave the file, and restart Openfire for the change to take effect.\n\n#### Use AuthFilterSanitizer plugin\n\nThe Ignite Realtime community has made available a new plugin, called the AuthFilterSanitizer plugin. The plugin can be installed from the Openfire admin console, or can be downloaded from [the plugin\u0027s archive page](https://www.igniterealtime.org/projects/openfire/plugin-archive.jsp?plugin=authfiltersanitizer) on the IgniteRealtime.org community website.\n\nThis plugin periodically removes entries for Openfire\u0027s authentication filter that are susceptible to abuse, closing the avenue of potential attack.\n\nNote that this plugin might interfere with functionality that depends on the abuse-susceptible entries in the authentication filter that might be provided by plugins.\n\n### Credit\n\nThis issue was originally reported by Siebene@ who has our gratitude for the responsible and detailed disclosure of the issue! \n\nWe are grateful for the resources made available by Surevine ltd. They were instrumental in addressing the issue listed in this advisory.\n\n### References\n- [Ignite Realtime community site](https://www.igniterealtime.org/)\n- [Openfire releases download page](https://www.igniterealtime.org/downloads/#openfire)\n- [Openfire AuthFilter Sanitizer plugin releases download page](https://www.igniterealtime.org/projects/openfire/plugin-archive.jsp?plugin=authfiltersanitizer)\n- [Openfire HTTP File Upload plugin releases download page](https://www.igniterealtime.org/projects/openfire/plugin-archive.jsp?plugin=httpfileupload)\n- [Openfire Monitoring Service plugin releases download page](https://www.igniterealtime.org/projects/openfire/plugin-archive.jsp?plugin=monitoring)\n- [Openfire Random Avatar plugin releases download page](https://www.igniterealtime.org/projects/openfire/plugin-archive.jsp?plugin=randomavatar)\n- [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n- [Wikipedia: URL encoding, section \u0027Non-standard implementations\u0027](https://en.wikipedia.org/wiki/URL_encoding#Non-standard_implementations)\n- [Issue OF-2595 in Openfire\u0027s issue tracker](https://igniterealtime.atlassian.net/browse/OF-2595)\n- [Jetty CVE-2021-34429](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34429)",
  "id": "GHSA-gw42-f939-fhvm",
  "modified": "2023-07-20T18:57:26Z",
  "published": "2023-05-23T19:54:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32315"
    },
    {
      "type": "WEB",
      "url": "https://github.com/igniterealtime/Openfire/commit/2ac00a1ff42f5d3547ef58e21f8cdec992bfcf97"
    },
    {
      "type": "WEB",
      "url": "https://github.com/igniterealtime/Openfire/commit/71f3def2adeaac62729cf544b645c6819c3d9868"
    },
    {
      "type": "WEB",
      "url": "https://github.com/igniterealtime/Openfire/commit/a3b5ebd5032ff7be9d3ada5bf52bea2df96ec881"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/igniterealtime/Openfire"
    },
    {
      "type": "WEB",
      "url": "https://github.com/igniterealtime/Openfire/releases/tag/v4.6.8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/igniterealtime/Openfire/releases/tag/v4.7.5"
    },
    {
      "type": "WEB",
      "url": "https://igniterealtime.atlassian.net/browse/OF-2595"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Administration Console authentication bypass in openfire xmppserver"
}

gsd-2023-32315

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Aliases

CVE-2023-32315

Aliases

CVE-2023-32315

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-32315",
    "id": "GSD-2023-32315"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-32315"
      ],
      "details": "Openfire is an XMPP server licensed under the Open Source Apache License. Openfire\u0027s administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn\u2019t available for a specific release, or isn\u2019t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.",
      "id": "GSD-2023-32315",
      "modified": "2023-12-13T01:20:23.451915Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-32315",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Openfire",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 3.10.0, \u003c 4.6.8"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 4.7.0, \u003c 4.7.5"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "igniterealtime"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Openfire is an XMPP server licensed under the Open Source Apache License. Openfire\u0027s administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn\u2019t available for a specific release, or isn\u2019t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-22",
                "lang": "eng",
                "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm",
            "refsource": "MISC",
            "url": "https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm"
          },
          {
            "name": "http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-gw42-f939-fhvm",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "[3.10.0,4.6.8),[4.7.0.,4.7.5)",
          "affected_versions": "All versions starting from 3.10.0 before 4.6.8, all versions starting from 4.7.0. before 4.7.5",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-22",
            "CWE-937"
          ],
          "date": "2023-07-21",
          "description": "Openfire is an XMPP server licensed under the Open Source Apache License. Openfire\u0027s administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn\u2019t available for a specific release, or isn\u2019t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.",
          "fixed_versions": [
            "4.6.8",
            "4.7.5"
          ],
          "identifier": "CVE-2023-32315",
          "identifiers": [
            "CVE-2023-32315",
            "GHSA-gw42-f939-fhvm"
          ],
          "not_impacted": "",
          "package_slug": "maven/org.igniterealtime.openfire/distribution",
          "pubdate": "2023-05-26",
          "solution": "Upgrade to versions 4.6.8, 4.7.5 or above.",
          "title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2023-32315",
            "https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm"
          ],
          "uuid": "5e43284d-0ecc-46ee-a585-aedb5a2cd8ab"
        },
        {
          "affected_range": "[3.10.0,4.6.8),[4.7.0,4.7.5)",
          "affected_versions": "All versions starting from 3.10.0 before 4.6.8, all versions starting from 4.7.0 before 4.7.5",
          "cwe_ids": [
            "CWE-1035",
            "CWE-707",
            "CWE-937"
          ],
          "date": "2023-05-23",
          "description": "Improper Neutralization in org.igniterealtime.openfire:xmppserver.",
          "fixed_versions": [
            "4.6.8",
            "4.7.5"
          ],
          "identifier": "CVE-2023-32315",
          "identifiers": [
            "GHSA-gw42-f939-fhvm",
            "CVE-2023-32315"
          ],
          "not_impacted": "All versions before 3.10.0, all versions starting from 4.6.8 before 4.7.0, all versions starting from 4.7.5",
          "package_slug": "maven/org.igniterealtime.openfire/xmppserver",
          "pubdate": "2023-05-23",
          "solution": "Upgrade to versions 4.6.8, 4.7.5 or above.",
          "title": "Improper Neutralization",
          "urls": [
            "https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm",
            "https://github.com/igniterealtime/Openfire/commit/2ac00a1ff42f5d3547ef58e21f8cdec992bfcf97",
            "https://github.com/igniterealtime/Openfire/commit/71f3def2adeaac62729cf544b645c6819c3d9868",
            "https://github.com/igniterealtime/Openfire/commit/a3b5ebd5032ff7be9d3ada5bf52bea2df96ec881",
            "https://github.com/igniterealtime/Openfire/releases/tag/v4.6.8",
            "https://github.com/igniterealtime/Openfire/releases/tag/v4.7.5",
            "https://igniterealtime.atlassian.net/browse/OF-2595",
            "https://github.com/advisories/GHSA-gw42-f939-fhvm"
          ],
          "uuid": "4031fd00-a7c0-43bc-a8c4-cd642555649b"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.7.5",
                "versionStartIncluding": "4.7.0.",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.6.8",
                "versionStartIncluding": "3.10.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-32315"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Openfire is an XMPP server licensed under the Open Source Apache License. Openfire\u0027s administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn\u2019t available for a specific release, or isn\u2019t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-22"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Mitigation",
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm"
            },
            {
              "name": "http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-07-21T19:21Z",
      "publishedDate": "2023-05-26T23:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2023-32315 (GCVE-0-2023-32315)

Vulnerability from cvelistv5

CISA Known exploited vulnerability

Data from the Known Exploited Vulnerabilities Catalog

fkie_cve-2023-32315

Vulnerability from fkie_nvd

ghsa-gw42-f939-fhvm

Vulnerability from github

Impact

Cause

Affected versions

Problem Reproduction

Problem Resolution

Mitigation

Restrict network access

Modify runtime configuration file

Bind admin console to loopback interface

Use AuthFilterSanitizer plugin

Credit

References

gsd-2023-32315

Vulnerability from gsd

Tags

Sightings

Nomenclature